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A method of renting software that relies on the reversal of 
encryption processes by the integration of secure processing into 
the system microprocessor of a user controlled data processing 
system. It consists of protected software objects, that in 
addition to being functionally limited to requires reversal of said 
limitation whithin the system microprocessor, they also have 
closely integrated information about conditions of use. This is 
used to distribute computer software on a large scale that may 
run on any computer. The user is charged on a unit basis. The 
secure processes described for the system microprocessor will 
have applications in other-secure processes. 
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1 TITLE OF INVENTION: 

2 A SECURE PAY-AS-YOU-USE SYSTEM FOR COMPUTER SOFTWARE 

3 

4 TECHNICAL FIELD: 

5 Hie distribution of software and other information reversibly functionally limited, usually by encryption, requiring 

6 reversal by a secure device that may also be used to provide software on a pay-as-you-use basis. 

7 

8 BACKGROUND TO THE INVENTION AND DESCRIPTION OF THE RELATED ART: 

9 The invention describes a method and apparatus that protects software objects. The protected information cannot be 

10 used without the assistance of (me or multiple seem processing devices. Said secret processing devices provide a 

11 mechanism for reversing the protection applied to said information and said reversing may only be activated by 

12 certain predetermined secure processes. The process of activating said reversing usually ensures that the producer of 

1 3 said information and or their agents receive correct payment for usage. 
14 

15 High speed dispersal of information between most computers with access to a modemAelephone line, together with 

16 fcnhaHning means of storing in excess of ten gigabytes of information on a writable optical disk, is likely to lessen 

17 the commercial value of informanon released in clear code format One clear code copy in the wrong hands could 

18 result in its effective worldwide dispersal in a short time. 
19 

20 One objective of the invention is to provide a means of maintaining security applied to infonnarion during and after 

21 it performs the functions required of it. 
22 

23 The known art describes a means of protecting computer software by requiring the presence of particular devices to 

24 operate properly. These devices are secure to varying extents. Hie problem with computer software is that the 

25 rrotection applied must be reversed prior to providing the information to the system CPU for processing. Once 

26 reversed it is accessible to those experienced in the an. 

27 

28 Known art WO 90/13865 describes a process whereby a secure location remote to a potential user supplies an 

29 encrypted software object to a user controlled data processing system and a secure method of decrypting said 

30 encrypted software object The software object usually contains information that is continually varying. This 

31 provides security by default in that it is a waste of time analysing information that is redundant shortly after its 

32 creation. This known art does not provide effective security against objects that, once downloaded and deciphered, 

33 may be used in perpetuity as is usually the case with computer programs. 
34 

35 Known art described in AU- A- 14856/95 relies on software methods to process the deciphering algorithms used to 

36 reverse functional limitations placed on software objects. Said software methods are susceptible to an experienced 

37 person generating usable information from protected software objects reliant on this method 
38 
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1 Hie current invention may be used to significantly strengthen the security and flcxibiliry of the known m described 

2 in WO 90/13865 and or AU-A-14856/95. It may also be used as a significantly more secure and flexible 

3 replacement for this known art. 
4 

5 Other known an calculates (and this may be by the use <rf information supplied by an associated cornputerrrogram) 

6 certain values in a secure environment. Said values are passed to an associated computer program and compared 

7 with internally generated values. These methods are in effect verifying that said secure environment is present and 

8 has presumably been purchased with the computer program. Said secure environment is not providing an essential 

9 function absent from said associated computer program, as it is practical to circumvent this protection by 
10 disas semb ly of parts of the program to examine the other side of the equation. 

11 

12 The known an describes a cryptoprocessor (US patents 4465901, 4419079, 4278837, 4168396) that is capable <f 

13 deciphering instructions and or data in realtime as it is loaded into the central processing unit Said instructions and 

14 or data are usually stored in enciphered format in external memory. This known an is not suitable for use in a user 

15 controlled data processing system: 

16 • that may variably have one or multiple programs loaded from a potentially large selection and or said programs 

17 may use different decryption parameters; and or 

18 • where the address occupied by a panicular program may be different on each occasion it is loaded (said known 

19 an is particularly directed at ensuring that an encrypted program will crash with minor variations to its location 

20 in the address map); and or 

21 • where one or multiple encrypted programs may need to co-exist with clear code programs in a constantly 

22 varying en v ironm ent; and or 

23 • where it is not usually practical to protect the external memory from tampering and or analysis; and or 

24 • where an interrupt to an encrypted program may direct processing to non-secure methods that may threaten the 

25 seoecy of certain information and this may include that within CPU registers at the time of interrupt; and or 

26 • where an encrypted program needs to temporarily transfer processing to an insecure location; and or 

27 • where an encrypted program needs to protect its stack from analysis; and or 

28 • where an encrypted program exists as multiple modules that are loaded as required and where erne or multiple 

29 modules may use different decryption parameters that need to be dynamically changed as program execution 

30 flows between them; and or 

31 • where different programs in a multitasking environment, that may have differed deaypticc parameters, need to 

32 be securely switched on a frequent basis. 
33 

34 The known art describes the programming of software objects into a secure microco n troller. This is restricted to a 

35 limited number of predefined functions . However, the known an does not describe the processing of software objects 

36 within a user controlled data processing system in conjunction with a secure environment that is not practical to 

37 analyse, wherein said secure envinmrnent (that may be a microprocessor) includes inaccessible information and also 

38 provides for external software objects, that may be selected and loaded as required from a potentially large number, 

39 to be able to Jzan^EBLBCQCGSdOg (and or pass any required data) to said inaccessible information within said secure 
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1 environment, wherein said secure environment includes computer instructions and or data (including that passed) 

2 which may be processed in secret within said secure environment to perfonn important functions and or any other 

3 functions thai are absent from said software object and that provides for transfer of processing and or data back to 

4 said software object as appropriate; and or provide dam that is absent ton an external software object when 

5 appropriately requested by said software object Said inaccessible infonnatioii: 

6 • may be piep r ogia mmcd into a storage device; and or 

7 • may be greater than the available storage device within said secure environment; and or 

8 • may be dynamically swapped in and out of said secure environment; and or 

9 may be transferred to said secure environment and decrypted within said environment and processed within said 

10 secure environment; and this applies for any of the preceding combinations when said secure environment is pan of: 

11 • one or multiple system microprocessors, and or 

12 • one or multiple devices attached directly and or indirectly to the user controlled data pmcesmng sy*tm , mvt tyr 

13 • within devices linked via network and or Internet (or equivalent in pan or whole). 
14 

15 The known art does not describe any method and apparatus that permits multiple protected software objects, 

16 including those protected: 

17 • by software encryption/decryption alone, and or 

18 • by secure decryption within a secret e n v ironm ent, and or 

19 • by secure decryption and secure execution of the ensuing decrypted infonnaiion within a secret eiivironmenx, 

20 that allows said multiple protected software objects to concurrently and or otherwise execute in a multitasking and 

2 1 or multiuser and or multiprocessor environment (where said multiproces sors may be the same and or different) . 
22 

23 One objective of the present invention is to provide a method and apparatus: 

24 • that overcomes part or all of the aforementioned deficiencies in the known art, and 

25 • that may be used to support a multiplicity of new methods and apparatus for distributing computer software, 

26 and 

27 • that may be used to strengthen a number of weaknesses with the current art. 
28 

29 The known an describes a number of methods for distributing software whereby the user pays on *an as used basis'. 

30 These methods include those protected exclusively by software methods. These usually include various software 

31 clocks that count down on a predetermined basis, and inactivate the program at the appropriate time. Payment is 

32 usually made for the use of a particular object on the terms predetermined. Disadvantage of this method include: 

33 • inherent lack of security; 

34 • the unsecure nature of the protection processes make it unlikely that software vendors will feei comfortable with 

35 the process; 

36 • should software vendors make a large selection of software available, users would usually be required to pay for 

37 access to the full period predetermined for each program, making it unappealing for users to access a large 

38 number of different programs as required (apan from any trial periods); 

39 • lack of flexibility; 
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1 • user cannot self determine the amoum of time required and pay am^in gi y 
2 

3 The security of die process for renting software is improved with known art described in WO 90/13865, wherein 

4 there is a secure device within the user controlled data processing system that monitors die time used by a software 

5 object downloaded from a service provider. Details of time used is periodically transferred back to the service 

6 provider. This method requires the user to be on line to receive said software object and to receive the timing 

7 parameters pertaining to said software object. The method also requires the user to remain on line for continued 

8 security of the process and to periodically upload elapsed time to the service provider. The user would normally be 

9 billed on a predetennined basis for software usage. 
10 

11 Theknownart does not describe a method and apparatus to provide a secure 

12 recording of usage of more than one program at a time in a multitasking and or multiuser and or multiprocessor 

13 environment 
14 

15 The known an does not describe a secure and secret environment that can be securely p r qwi^ m Tinw< with a 

16 predetennined amount of usage, whereby said usage: 

17 • is prepaid and or 

18 • is a credit limit for use that will be billed at a later date; 

19 and 

20 said predetermined amount of usage remains available for an extended period of time (preferably surviving loss of 

21 system power) for use as required, with said predetermined anwunt of usage appropriately vari^ 

22 multiple software objects over said extended time, and or 

23 said predetermined amount of usage may be securely updated with additional usage rights as required. 
24 

25 The known art does not describe a secure and secret environment that can: 

26 securely record usage of software objects; and or 

27 securely maintain a record of amounts owing to different vendors and or against different software objects, and or 

28 provide a report on any basis, including usage, and or 

29 temporarily or permanently disable itself in part or whole should said predetermined amount of usage be utilised, 

30 and or 

31 temporarily or permanently disable itself should it fail to receive secure confirmation that reports sent to a service 

32 provider have been received. 
33 

34 The known art does not describe a method and apparatus to permit a large number of software objects to be created 

35 that include information about their particular billing requirements, whereby said software objects are subsequently 

36 distributed on a large scale permitting each potential user to use any of the software objects as frequently as they 

37 require and only pay for use incurred, said use reducing the amount of usage predetermined within said secure and 

38 seem environment. There is no known method and apparatus that compensates for variations between information 

39 stored within previously released software objects and that which is current, particularly as it applies to billing 

40 Information. 
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1 

2 It is another objective of the invention to provide a method and apparatus to overcome, in part or whole, the 

3 aforementioned deficiencies with the known art, and said mgttvvi and apparatus may also be used for a number of 

4 other described applications. An important objective is the provision of a secure, virtually transparent (to the user) 

5 method of renting software for use on a user controlled data processing system (UCDPS), on a usage basis, thai in 

6 one configuration is independent of any attachment to any devices coupled remotely (eg. telecommunications link) to 

7 theUCDPS. 
8 

9 The method and apparatus described to advance the an of protecting and distributing computer software may also be 

10 adapted in pan or whole to the protection and distribution of other aanmercially valuable information. 
11 

12 DEFINITIONS: 
13 

14 Replication or duplication may be one to many copies and may include replication of part or whole in any 

1 5 combination and or number. 
16 

17 decrypted) and deciphered) may be used interchangeably and refer to reversal of a previously applied encryption 

18 process. Unless relating to a specific decryption process that is a claim of the invention it may be interpreted as 

19 being any known method of decryption. 
20 

21 Decode is generally used in the traditional computer sense of decoding addresses etc, however, where the context 

22 permits it should be interpreted as for decrypted . 
23 

24 Clear text (or clear code) is information that is not encrypted and may be derived from encrypted information and 

25 or may have been supplied in as clear code. 
26 

27 Internal to the System CPU (or System Microprocessor) indicates that the hardware and or microcode and or 

28 software is on the same integrated circuit substrate; and or that they are on multiple substrates interfacing where 

29 necessary using any known method and apparatus within the package of the system CPU; and or pan of the device 

30 is within the system CPU package and part (or all) external to the System CPU package and attached externally to 

31 the System CPU package using any method and apparatus. 
32 

33 A system CPU also referenced as system microprocessor, is one that a person experienced in the art would 

34 consider to be suitable as the primary (or one of multiple primary) processing units in a User Controlled Data 

35 Processing System (UCDPS). 
36 

37 Processing or process refers to the actual execution of computer instructions and or the manipulation (in any way) 

38 of data associated with the computer instructions and or manipulation (in any way) of any other data. 
39 
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1 Software Object: A software object is that which a person experienced in the art would consider a software object. 

2 Computer programs and or subroutines that constitute part of a computer program arc considered software objects. 

3 Data pertaining to said computer programs is a software object. Information that is processed by a UCDPS and 

4 subsequently displayed as text and or images and or sound for any reason, including as normal output fiom a 

5 computer program and or electronic books (and similar) and or music and or other sound and or visual im g g «y mw f 

6 or video in the form of motion pictures is a software object. 
7 

8 PCPU: Within this application reference to a PCPXJ or Protected CPU refers to Secret Processing Device (SPD) 

9 e mb ed de d within the system microprocessor package of a UCDPS. 
10 

11 ESFD: Reference to an External Secret ftocessing Device or ESSPD refers to an SFD attached directly or indirectly 

12 to any other part of the UCDPS. 
13 

14 End of Definitions. 
15 

16 DESCRIPTION OF THE DRAWINGS: 

17 Figure 1 is a diagram of an apparatus suitable for use as a secret processing device embedded within the system 

18 microprocessor. 

19 Figure 2 is a diagram <rf basic ot 

20 Figure 3 is a diagram of the atoir^ wito the system microprocessor. 

21 Figure 4 is a diagram of command port structure. 
22 

23 DESCRIPTION OF THE INVENTION: 
24 

25 A SECURE PAY-AS-YOU-USE SYSTEM FOR COMPUTER SOFTWARE 

26 The invention describes a method and apparatus for the protection of software against piracy and provides a secure 

27 process for the mass distribution of software. This is done by functionally limiting a software object and securely 

28 linking it with conditions of use and object support mformaiion to create a Protected Software Object (or PSO) 

29 which must be used with a Secret Processing Device (or SFD) that is directly or indirectly attached to a User 

30 Controlled Dato I¥ocessing System ^ 

31 software. The preferred location of the secret processing device is within the package of the system microprocessor 

32 of the User OmtrolledDato Processing Systm where the canbinatto 

33 The following describes those aspects considered essential to a tfhli impiwnjmtfflfon of thf invention. 

34 1) a method of distributing software objects from a producer to a potential user comprising the method steps of: 

35 i) providing a secret processing device (orSPDl for direct and or indhret att^nm^ t0 B uh)P5 whereby said SPD 

36 is any one or multiple hardware devices that may use any amibinauon of software and or microcode and or any 

37 other method to provide a secure and secret cxrviromnent for processing information and or storing information and 

38 that provides the following: 

39 a) any one or multiple methods and or apparatus that* 
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1 securely decrypt and execute instructions and or securely decrypt and process dam thai complies with pan or all of 

2 the requirements of reversing functional limitarions applied using the Oscar method (described later); and or 

3 reverses the functional lirnitations applied using the Groover method (described later); and or reverses any other 

4 ^tiar^linu^OM 

5 that may be necessary to provide any of the tactions required by said PSOs; and or access any pan of one a 

6 multiple PSOs thai may be located external to the SPD in order to provide any of the functions required by said 

7 PSCfc and or examine the go amditions of use linl^ 

8 response to said conditions of use; and or respond to said conditions of use; 

9 and or 

10 Wmay be embedded, m part or whole, ^ 

11 be within any one or multiple devices attached directly and or indirectly to the system nticroprocessor and or the 

12 UCDPS, and inaynm disrupt thence 

13 application that in part or whole is dependent on connection to a distributed data processing system, that may be of 

14 any type, uicluding local networks and or intranet (or similar) and or the Internet (or similarX and may benefit from 

15 connection to one or multiple remote ounputers and or any other devices to simplify transmission of various 

16 information, however, said secure and secret processing functions, in pan or whole, are functional and or remain 

17 ftmctioiial, when said UCDPStlm 

18 standalone unit independently of attachment to remote devices, and said UCDPS may be switched on and off for 

19 variable periods (if time and or moved to different locations and or reset as frequently as required, without affecting 

20 the functions that are provided to said UCDPS; 

21 and or 

22 c) provides an area of secure memory storage devices that is not practical m m *\yp> : 

23 and or 

24 d) rxovides for partition of secure memory storage devices into one or multiple secure system partitions and one or 

25 multiple user partitions whereby programs in system partitions may access user partitions, however, a user partition 

26 may not access a system partition unless authorised, and or any particular user partition may not access any other 

27 user partition unless authorised; 

28 and or 

29 e) may transfer part or all of protected software objects and or any other software object from unsecure to secure 

30 locations fOTpTocessiiig art 

31 f) may securely decrypt pan or all of decrypted pans of protected software objects and or any other encrypted 

32 information within said secure locations; 

33 and or 

34 g) may process pm or aU of orie or multiple protected software object mdudhogpnx»ssiiig <>f pmor^ 

35 of that litformatkm loaded mere 

36 and or 

37 h) are programs and or data preprogrammed into the device and or transferred in encrypted format and or in clear 

38 code, mat assist and or replace any other known software protection and or distribution systems that are dependent 

39 in pan or whole on user accessible software processes and or unsecure kientifying codes to provide protection 

40 against unauthorised use of software objects, when part or all of said user accessible software processes and or 
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1 unsocurc identifying coto 

2 location that permits private processing of the information; 

3 and or 

4 i) have the capacity to detect whete suitably configured protected software objects ba^ 

5 tampered with; 

6 and on 

7 j) may perform secret encryption and or secret decryption in a manner that cannot be analysed, and this may be a 

8 software and or hardware function; 

9 and or 

10 k > to capacity to implement in part or whole, one or multiple hardware devices in programmable logic. 

11 Inferably programmable logic that may be rapidly erased in the event of tampering, and this includes encxypcion' 

12 and or decryption functions implemented in part or whole in hardware, and hardware functions uiiplemerued in 

13 prognnirauiblelo^ 

14 and or 

15 Otnayiiseanymeuiodt^ 

16 said attempt may be physical and or logical analysis, and the response may be any action, using any method, 

17 includmgdis*^ 

18 of the secret information ttattiray be st^ 

19 and or 

20 m)iriay securely stored 

21 parties and or securely store utfonnation in encrypted format in locations that may be accessible to unauthorised 

22 parties, and niay detect taniperirtgwim 

23 and or 

24 n) may have the capacity to securely monitor me usage of protected software objects; 

25 and or 

26 o)may securely record the usage of said iiotected software objects and 

27 oftheusageonapnxiucCTai^^ 

28 and or 

29 p) may request and <*coi^ 

30 user of the UCDPS to provide any iiece^ 

31 and or 

32 q) may cemfinn that said reports have been reeved as required; 

33 and or 

34 r) does not require modification of the User Controlled Data Processing System operating system; 

35 and or 

36 ») may not require sr*dalrwitto 

37 and or 

38 t) may Identify the type of protected software objea and aa as requ^ 

39 arxlor 

40 u) provides or have access to one or multiple tamperproof, nonvolatile sounx of time and or date; 
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1 and or 

2 v) provides or have access to one or multiple tamperproof tunas; 

3 and or 

4 w)prowdesoneormaltiplemeth^ 

5 an electronic signature; 

6 and or 

7 provides <me or nmltiplesem 

8 across particular groups of SPDs; 

9 and or 

10 y) provides one or multiple programs, that may be preprogrammed (into the SPD) and or transferred (into the SPD) 

11 as required, thai use seem mfoir^ 

12 and or 

13 z) may process multiple protected software objects hi a multitasking environment, this may be transparent to the 

14 UCDPS operating system; 

15 and or 

16 aa) include functions, preferably implemented in reprognmimable secure memory, that may be edited and or 

17 modified and or deleted and or expanded and or in any other way altered, in a secure maimer and usually 

18 transparency to the 

19 the SPD for any purpose, including; making multiple SPDs identical in pan at least (mcluding multiple PCPUs rna 

20 multiprocessor system); and or create one or multiple applications not currently available to the SPD; and or that 

21 permits any current appUcation to be dynamically adapted, including dynamically reprogramming various hardware 

22 functions imple m e nt e d in part or whole with rqjrogrammable logic connections; and or dynamically modifying 

23 decryption processes; 

24 and or 

25 ab)areprogranisaiid<ff 

26 code that assist any function described for the correct processing of protected software objects; 

27 and or 

28 ac) include secure memory that stores various internal system rtnitines and may be loaded with externally supplied 

29 objects for decryption and or execution and or any other purpose; 

30 and or 

31 ad)maydeciaetoreverseoneamult^ 

32 use, where said decide is in pan at least autonomous to the SPD and based in part at least, on secure processing 

33 internal and or external to the SPD of generic information applicable to multiple PSOs, that may include a prurality 

34 of any information stales within and or external to the SPD, including one or multiple dectronic credits that is 

35 modfied(oirecdyorta 

36 taiga* the requmanena^ with, the user of said UCDPS may be 

37 able to execute and or rrocess oi* were unprotected software objects* 
38 

39 ii)provi(ling a software object; 
40 
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1 iii) modifying pan or all of said software object such thai it is functionally limited to run on only a UCDPS fined 

2 witha SPD and or equivalent and the functional limitation Is by the Oscar method as defined below and or by the 

3 Groover method as defined below and or by any other method and said functional limitation may be of one or 

4 multiple essential parts of the software object, preferably such that it is not practical to regenerate the original 

5 software object from any parts that are not functionally limited, and said mxiifying is preferably done at a secure 

6 location (also referenced as a service provider) that has access to part or all of secret information remain «^ Thm 

7 the SPD and for any particular functionally limited s<rftwarc objett 

8 a specific SPD with any unique characteristics necessary to reverse the functional Umitation, or the functional 

9 Irritation may be reversed on a plurality of SPDs characterised by common characteristics necessary to reverse the 

10 functional limita tion; mti or 

11 

12 modifying pm or aU of said sof^ 

13 any method, to one or multiple conditions of use, also referenced as PCPU Inclusion Commands (or PIC), that in 

14 part or whole are tainperproof and that include any code thai directly or indirectly identifies the producer of the 

15 software object an^^ 

16 record u» (if thm particulars^ 

17 basis,mpm or whole, wherete 

18 and or any other parties; and or the conditions of use include any code that contains information which may be used 

19 by theSPD todetennmeif thes^ 
20 

21 is permitted to execute in part or whole on a units of time used basis, and if permitted, what fee should be applied 

22 for the use of the software object and said to may be airy unit of mea^ureni^ is preferably a generic units of 

23 use basis and said generic units may be attributed any real currency value at any stage; 

24 and or 

25 is permitted to execute in pan or whole on an events occurring basis, for example the number of times one or 

26 multiple parts of the program are loaded and or executed and or any other measurable events basis, and if permitted, 

27 wlwtte should be arched te 

28 preferably a generic units of use basis aiid said generic rams n^ 

29 and or 

30 * Penman to exaa^ 

31 of to software objeaarjd said fee may be 

32 said generic units may be attributed any real currency value at any stage; 

33 and or 

34 is permitted to execute <» any type of limited basis subject to a fee, and if permitted, what fee should be applied for 

35 the use of the software object and said fee may be any una of measurement and is preferably a generic units of use 

36 basis and said generic units may 

37 and or 

38 requires entry of one or multiple data keys of an^ 

39 the first and or any other time on a particular SPD and may include whether or not a fee is to be charged for 

40 providing the data key; 
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1 and or 

2 requires any other restrictions to be placed an use; 

3 and 

4 any software object modified in part or whole as described is referred to as a Protected Software Object (or PSO); 

5 said Oscar method, is any functional limitation of part or ail of a software object by any method of encryption, 

6 usually at a secure location remote to the user, where part or all of the reversal of the encrypted information, by 

7 decryption and or any other method, occurs within a secure environment directly and or indirectly ntT tt^M to a 

8 UCDPS such that part or all of the instructions and or data of the software object reconstituted by said reversal are 

9 not accessible to analysis by any unauthorised party and the execution of pan or all of said instructions and or the 

10 processing (using any method) of part or all of said data that is not accessible to analysis by an unauthorised party 

1 1 remains in part or whole inaccessible to analysis by any uTum foqu i red party. The result is that part at least of the 

12 functional limitation placed on a software object is not compromised by the process of using said software object; 

13 said Groover method is any functional limitation of part or all of a software object by deletion of part or all of the 

14 information within the software object, usually at a secure location remote to the user, where part or all of the 

15 reversal of the deletion, by any method, occurs within a secure environment directly and or indirectly attached to a 

16 UCDPS such that part or all of the instructions and or data of the software object reconstituted by said reversal are 

17 not accessible to analysis by any unauthorised party and the execution of part or all of said instructions and or the 

18 processing (using any method) of part or all of said data that is not accessible to analysis by an unauthorised party 

19 remains in part or whole inaccessible to analysis by any unauthorised party. Hie result is that pan at least of the 

20 functional limitatimi placed on a software object is not compromised by the process of using said software object; 
21 

22 iv) providing one or multiple PSOs onto computer-accessible memory media and or any suitable apparatus for 

23 electronically transferring said PSOs to a potential user, and preferably the conditions of use attached to said one or 

24 multiple PSOs permit said PSOs to be used on a time or events used basis in a UCDPS suitably equipped with a 

25 SPD that has sufficient aforementioned units of measurement stored within and or securely accessible; 
26 

27 v) supping said one or multiple PSOs on computer-accessible memory media to a potential user and or 

28 electronically transferring said one or multiple PSOs; 
29 

30 vi) loading said one or multiple PSOs into a UCDPS and executing as permitted by conditions of use; 
31 

32 vii) where required by the conditions of use or any other reason, a means for the user to: 

33 • request the supply of one or multiple units of measurement that may be required by the SPD for any purpose, 

34 and or 

35 • receive one or multiple said units of measurement, preferably in suitably encrypted format, that may use any 

36 method, and transfer said units of nieasuranem into the SPD, and or accessible U) to 

37 • request the supply of one or multiple data keys thai may be required by the SPD, and or 

38 • receive one or multiple data keys 8nd transfer said data keys into the SPD, and or accessible to the SPD, using 

39 any method, and or 
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1 • generate one or multiple reports erf software usage and or any other information thai may be required, and 

2 supply said reports to service provider and or any other external location, as required, and or 

3 • receive one or multiple codes cormrrnmg that said report has been received and supply said one or multiple 

4 codes confirming into the SPD and or accessible to the SPD, and or 

5 • request the service provider and or any other authorised party tor one or multiple codes that may be used to 

6 reactivate pan or aU of the STO that rnay have been disabled 

7 • receive one or rnuluple codes to leactivaepmw 

8 transfer said codes into the SPD, and or accessible to the SPD and 

9 for any of the preceding, the information generated by the UCDPS and or received from the service provider is 

10 preferably transferred electronically, however, any other conbirmtira of rnethods may be used including moling of 

11 computer-accessible memory media containing the info rmation 
12 

13 

14 PREFERRED IMPLEMENTATION OF THE INVENTION: 

15 To assist with understanding the invention, reference will now be made to the accompanying drawings which show 

16 one example of the invention. In the drawings, Figure 1 shows an apparatus that is suitable for use as a secret 

17 processing device embedded within the system microprocessor. 
18 

19 Throughout this (Ascription and the accompanying drawings, many signal lines are represented by a single line and 

20 an ioemifyingsyn^. Tills nia^ 

21 dock, dear and set a flip flop, however, uaially only one signal Imewm be shown to repn^ 

22 of various buses, tlie lias represent saidbusorwhateversubsetof saidbus is 

23 relevant for the logic functions it may be entering or leaving. Many control lines are not described or shown in this 

24 description as it will be obvious to anyone experienced in the art, where, when, and how, they should be used in 

25 order to make functional any apparatus described; Ascriptions are detailed when needed to help clarify the 

26 imple m e nt ation of any particular function. Throughout this description, the polarity of signals is usually immaterial 

27 and nm(iiscussed unless of spe^cco^ 

28 invention. When a latch or other device is set or cleared the alternative anangemem 

29 register is a oiinrn<)my used storage devi« with any other logic and or 

30 combination of logic and or software and or microcode that remit* hi « «im4i^ n^t^m? 

31 The invention describes: 

32 l a method of itversibly function 

33 reverse pan or all of the functions of the reversible functional limitations and preferably includes a method of 

34 securely linking the conditions of use that apply to a particular reveraibly functionally limited software object to said 

35 revensibly functionally limited software object such that this mformation may be used in pan or whole to determine 

36 whether to permit the SPD to reverse the reveraibly functionally limited software object. The conditions of use are 

37 preferably an integral part of the reveraibly functionally limited software object and or strpplied as one or multiple 

38 other modules that are linked in a manner that prevents the tmauthorised separation of conditions of use and 

39 reversibly functionally limited software object This produces a protected software object (or PSO) which may be 

40 distributed to a potential user and loaded onto a UCDPS and includes instructions to the SPD on how it may be 
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1 distributed to a potential user and loaded onto a UCDPS and includes instructions K> the SPD on how ii may be 

2 used This permits objects to be widely distributed md used m stand 

3 required to reverse, in pan at least, the reversible functional limitations, complying with the conditions of use. Hie 

4 cor^tioreofuscrmyalsobesurjpUed^ 

5 linked, into an SFD transparently to the operating sysimtfuw UCDPS why u 
6 

7 When a PSO is securely linked with conditions of use it may be used on a UCDPS equipped with an SPD without 

8 any extra intervention by the user than would normally be required for the protected object in its native software 

9 object form, with the exception of any requirements that the SPD requires of the user. 
10 

11 2. an apparatus referenced as an SPD that has various secure system functions that allow it to interact correctly with 

12 one or multiple reversibly functionally limited software object prepared for use with one or multiple SPDs. The SPD 

13 irududes an imerr^ secure ar^^ 

14 way required to appropriately reverse in part or whole, reversibly functionally limited software objects. The secure 

15 functions of the SPD may have other applications. 
16 

17 The preferred embodiment of an SPD is included within the package of the system nnaoprecessor, such a 

18 rombirmra amy Preferred toasar^ 

19 the UCDPS external to the package of the system microprocessor; this is referenced as an ESPD. A PCPU may 

20 include multiple system rmcroprrxessors. There may be multiple PCPUs within a UCDPS. There may be multiple 

21 ESPDs within a UCDPS. Multiple SPDs in any location may interact is any way and conurinanon with any others 

22 or not at all. The embodiment of a system nncroprocessor to implement the apparatus of the invention is 

23 pxdaninantly cependent on the use of secure memory storage devices of various types and an ability to securely 

24 process mformation within these devices and a person experienced in the art will be able to arrange logic, software 

25 and microcode in many combinations to effect versions of an SPD and PSO mat are within the spirit of me 

26 invention. This arrangement permits the secure functions required of the present invention to be impi*™^ a 

27 person knowledgable in the art will appreciate that the secure processes used for the invention may have multiple 

28 other secure applications. The known art does not describe a system imcrorjrocessor suitable for use in a UCDPS 

29 that provides the secure processing functions described in this cmbodimenL The invention allows for any system 

30 microprocessor that provides the apparatus and or functions described m the application. 
31 

32 Figure 1 shows a block diagram of a system rmcroprocessor that may communicate with a secure racropocessor 

33 that is sanirely linked to OMcrinu^ 

34 secure functions. When the secure memory is programmed with appropriate mfimnation. the combination of 

35 software routines and embedded hardware functions and changes to the rrncrccode of the system imcroprocessor 

36 provides all of the requirements of an SPD securely embedded within the system microprocessor package. This 

37 device r^ be used m replace the existing system mi and, subject to being supplied with 

38 any iriformation required to meet the conditions of use attached to a PSO, may execute that PSO as if it were a 

39 normal software object. Itwill be amireciaied by those expert 

40 logic, software and microcode to implement the device as described. 
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1 

2 Figure 1 shows the silicon chip 130 of the system microprocessor 1. The system microprocessor 1 normally 

3 interfaces with external locations via an address bus 5 and address buffers 2 and data bus 6 and data buffers 3 and 

4 various comoltogk; 7 via buffered 

5 rmcroprocessor 1 via oonffol line 9. Instructions are interpreted and implemented by a combing 

6 and logical devices within the instruction execution block 8, located within system rrucroprocessor 1. The apparatus 

7 of the invention needs to communicate with the system niiooprocessor 1 and this is most readily implemented with 

8 dual port memory 19, a memory mat allows read and write accesses by two devices to the same addresses on an 

9 asynchronous basis. There are many ways of achieving an equivalent result. As described in this embanmeat the 

10 DP nenmy 19 is not imended to su^ 

11 ProcessesaDditisnairoticalte^ 

12 The invention allows for the recording of failed attempts at access and may disable itself to prevent repeated 

13 attempts to compromise secure elements. 
14 

15 Ttesystra microprocessors^ 

16 using any known encoding apparatus, however, the preferred method is to make the addresses occupied by the 90 

17 side of the dual pon memory 19 a separate address space to the UCDPS. Tnis is 

18 rerenmcedasatiaDsp^ 

19 functions. 
20 

21 The primary interaction of the system imcroprocessor 1 to dual port memory 19 will be to read and write data 

22 between UCDPS addresses and dual port memory 19 for transfer into secure functions 50 by the secure 

23 microprocessor 20 and the reverse. There may also be a requirement to transfer data from one location to another 

24 withmtbedtialponmemwyl* 

25 Reset of the system nricroprocessor 1 initialises normal address decoding, with the dual pon memory 19 

26 inacces s ib le by the system microprocessor l. 
27 

28 The execution of a TAA instruction, with for example X as the opcode, and die combination referenced as TAAX, is 

29 carried out if the system microprocessor 1 wants to move information from UCDPS memory to dual port memory 

30 W. to which case bufte 2^4 would be actrv^ 

31 a write operation the address decoder enable signal 11 is active, enabling the address decoder 10 to decode a 

32 predetermined address block (that may be made programmable) of dual port memory 19 using chip select 13. that 

33 also keeps the buffers 2, 3, 4 disabled by blocking any enabling effect of 9 via logic gate 14. Data is read from 

34 UCDPS memory space and written to dual port memory 1 9. Instruction TAAY perforins the reverse by activating 1 1 

35 during read operations. Instruction TAAZ activates 11 for reading and writing. TAAB disables 11 for all reading 

36 and writing, the normal situation. The TAA instruction only affects operations that are fetching data, not 

37 iratructions, and most system microprocessors have a signal to distinguish between die two. An instruction 

38 referenced as the TBAX instruction may be used to activate instruction fetches from dual port memory 19, by 

39 activating u during instruction fetches and may be disabled by die TBAY instruction, instructions are read 

40 operations. TAA and TBA instructions may be used in any combination. A reset has the same effect as TAAB & 
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1 TBAY. ensuring normal processing on startup. While TB AX is active, instruction fetches from addresses outside the 

2 dual pm memory 19 are from 

3 to perform an automatic TBAY Instruction or any other method to avoid trapping the system microprocessor in dual 

4 port memory 19. 
5 

6 This method and apparatus provides a novel transparent method of inemding one or multiple devices within a 

7 system microprocessor without potentially conflicting with existing resources in a UCDPS and has multiple 

8 applications to the art cf system micrqrroc^ design. To avoid problems with interrupts directing processing to 

9 another routine that expects a normal environment, mterropts are inhibited by TAA and TBA instruction. An 

10 alternative allows for similar instructions that do not inhibit mterrupts, allowing me interrupt handler and or task 

11 switcher to handle the situation, in which case the TAA and TAB instructions are disabled by an interrupt and a 

12 nxorfoftheirstatusisstoredmala^^ 
13 

14 Secure processing is provided by including a second microprocessor 20 within 130 that may read and write to 

15 addresses within the secure address map 50 without being available to external analysis. Secure address block 50 is 

16 predominantly memory, divided into a small amount of mask ROM 5 1 to initially program me other infonnadon 

17 into the device, flash memory 52 for storage of information that needs to remain in the device in the event of total 

18 power loss, and battery backed static rr^rnory 53, stores important information which may be rapidly erased in 

19 the event of tarrmering. The nucroprocessor 20 c orr mron i caies with the secure memory 50 via address lines 84, data 

20 liraslOaard other varicnis control linw 

21 a battery backed realtime clock and or calendar 89 nto cannot be tamp^ 

22 aandardragmeispreferaM^ 

23 chip select signal are output on 83 to the varies secure devices. The power numagemem logic M 

24 power on 60 and battery power on 87 from (preferably rechargeable) battery 70. An A/D converter 75 monitors 

25 voltage. Omtinuous power is supplied to 50 via 87. Power management 65 may also be used for any additional 

26 voltages to flash memory 52, other txmery backed logic and provides recharging power to the internal battery 70. 

27 The microprocesor 20 conraunicates with the system mionoprocessor 1 via a dual port memory 19. The 

28 microprocessor 20 side 91 of du^ 

29 write 23 connect witt 19 to allow reads and writes of information between miuupiuceswi 20 and dual port memory 

30 19. A similar method allows the system rmcroprocessor to communicate with dual port memory via chip select 13 

31 from its decode logic 10 and address foes 14 and data 6. The de^ 10 uses high order address lines 12 and 

32 control lines 32 (c.g.valid address) and 11 (activated by TAA, TBA). This provides a method of transferring 

33 tafonrmion to and from exterroM logons to 

34 20. No user supplied program can access the infannation in secure memory without access to the secret codes 

35 required, and these may be made as complex as secure memory resources allow. 
36 

37 It is preferable that the secure rmenmrocessor includes a direct memory access (DMA) facility to move blocks of 

38 brformation from UCDPS rnemory tJirectly into secure memory locations and or from secure memory to externa! 

39 locations. This may actually mrprove the efficiency of the original system rrucroprocesscr, rjermltting it to perform 

40 other tasks while a block of Information is securely processed in internal memory. Access to this DMA fedlity 
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1 should tedccodrf into theses 

2 originating within secure system functions (as described later). Any possibility of an ouemal program and or a 

3 program executing in a user partition having unsupervised access to the DMA controller 125 that may be 

4 prograrmied to move a large block of system irdonnanon to external location wouM be (iisasterous 
5 

6 Tteiniaoprccessor 20 would usually program the DMA controller 125 via data bus 100 and chip select 142 and 

7 read/write 102, usmg a rattte known to l!ave origmaied withm one cr multiple predeteniu^ 

8 ^details of uxhKlir^aDMA controller 125 are r^ c^bed or shown. The n^ invol^ 

9 a^S.dataeamicx^uitesTofthesystemim^^ with sinuUar signals generated by the DMA 

10 controller 125 to read or write external locations and multiplexing of the address, data, and control lines of 

12 control is witrunte system 

13 controller 125 would be easier to implement at a logical level than for external DMA controllers. This type of DMA 

14 is transparent to external devices. 
15 

16 TteinvemitmalMaUc^totto 

17 very powerful processing system, allowing secure and tmsecure execution to proceed concurrently. Another 

18 <^ve option is to iise two differs 

19 OUTtasemaybemmnplexedbvoK^ 

20 system fur^or^wWle the «h^ 

21 activated in any way, eg. hold reset tow, may switch the roles. The secure functions may be duplicated, in pan or 

22 wnole.(5r each rnayltave its own secure fu^ 

23 unsecure processor. A switch from secure processing to unsecure processing preferably ensures that any potentially 

24 secret taforrnation is flushed from CPU registers and any other locations that may become accessible to external 

25 analysis in the unsecure state. All secure functions would usually be inaccessible to the system microprocessor in 

26 unsecure mode. A person knowledgable in the art should be able to design such an embodiment that performs to the 

27 reqiuremer^(rfu*mvennon.^ with a means of 

28 taegrating two different UCDPSs mw ok. C* course this scenario might be expanded to any number of system 

29 niicrcprocessors within the one package. When multiple system microprocessors are included in the one package, 

30 the one that is normally associated with the resito cjeraimg system 

31 ^«^» this applications 

32 No changes would usually be required to any software to operate the Host CPU, however, other support may be 

33 requited to simulate thecon^envtaammto^ 

34 ackiress trap fcrtte grafted sy 
35 

36 It wM be appreciated by those e^ 

37 be readily transferred to a location external to the system rtncroprocessor by providing a secure package and 

38 replacing the transparent address space of the version within the PCPU with an ar^iropriaie address within the 

39 UCDPS address space. 
40 
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1 A basic emlxxnmem erf an SPD for use external to the system microprocessor is described with reference to Figure 2 

2 of the drawings showing a primed circuit board 700 that is capable of connecting with an appropriate socket on the 

3 bus expansion of a UCDPS 720 via the gold fingers 701 on the printed circuit board 700. Mounted onto PCB 700 

4 are an address decoder 702 to receive address signals from the address bus of the UCDPS 721 and various control 

5 lines 722 that It uses to decode the UCDPS side of the dual port memory 704 to a suitable address location in the 

6 address map of the UCDPS using chip select line 7 12. The tower order address lines 723 of the UCDPS together 

7 with UCDPS data bus signals 724 and a read/write signal 725 pass fiom the UCDPS bus via buffer 703 to the 

8 UCDPS side of the dual port memory 704 via signal lines 713.The part of 703 mat buffers the data lines is 

9 bidirectional. A microprocessor 707 includes two interrupt lines 730 and 731 and an external address bus 714 and 

10 a valid address signal 733 and a bidirectional data bus 715 and a read/write line 732 and internal programmable 

11 nonvolatile memory 708 (e.g. flash memory) and a boot routine 735 to load information into non-volatile memory 

12 708. A static RAM chip 709 is connected to microprocessor 707 low order address lines of address bus 7 14 and the 

13 data bus 715 and read/write line 732. Static RAM 709 is activated by chip select 740 that is created by the address 

14 decoder 705 decoding the high order address lines on address bus 714 in conjunction with valid address signal 733. 

15 When static RAM 709 is selected the rnicroprocesor 707 may read and write date to and from 709. The 

16 rmcroprocesor 707 side of the dual port memory 704 is attached directly to the 707 data bus 715 and reaflVwrite line 

17 732 and low order address lines of address bus 714. The microprocessor 707 side of the dual port memory is 

18 activated to lead and write orjerauens by cWp select 750 gewratoi by address decoder 705, r^ 

19 lines on the address bus 714 and the valid address signal 733. A rechargeable battery 710 is included providing 

20 backup power via 711 to the microprocessor 707 aid the stafe 

21 an active UCDPS. the battery 710 is recharged from the system power supply. Microswitch 712 connects to interrupt 

22 line 730 causing an interrupt when the tamperproof enclosure 716 is disrupted. The tamperproof housing 716 

23 securely encloses 710, 707, 709. 705, 704. 712. and all signal lines that may provide useful information. Interrupt 

24 Ime 73 lotuses an interrupt to 7(T7 when 

25 indicating that the external system rmcroprocessor is accessing the device and that action may be required by 

26 mluouiocessor 707. The microprocessor 707 is normally in low power sleep mode. If awakened by interrupt 730 it 

27 injmediately sequentially erases the values stored within SRAM 709 using a routine rxeprc^ratnmed into 707 prior 

28 to enclosure in 716. If awakened by 732 it continues processing as required. The SPD as described may be 

29 integrated into a single chip. A person experienced in the an would be able to adapt this design to attach the SPD to 

30 any suitable non-bus Interface. A suitable location may be the parallel port on a shared basis with the printer; the 

31 known art for other types of software protection devices describes such a shared interface. The inclusion of a 

32 cryptoengme implemented in hardware would enhance ctecryptian processes that are fundamental lo the secure and 

33 versatile functions provided by an SPD. 
34 

35 Figure 3 shows a block diagram of the address map for secure functions within the system imcroprocessor 

36 package/die 130 of Figure 1. These secure functions may only be addressed by the secure microprocessor 20 and 

37 may not be accessed by external programs other than said external programs providing information that is usually 

38 subject to validity checks and decryption before acceptance by the secure niicroprocessor 20 for further processing. 

39 The address decoder 25 decodes a battery backed real ttae dock calendar 89 wim 

40 125 with chip select 142, Data Encryption Standard Engine 135 with chip select 143. and if the DBS engine is 
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1 consumed in part or whole from programmable logic devices (preferably SRAM, to may be banery backed if 

2 ^°^i»«raired) that are 

3 141. anrperoetea 80 (preferably imJudlng a 

4 security mentoring) selected by 144, Ai/D convener 75 by select line 145. power management 65 by selea 1 46 The 

5 preceding devices wcwldosuaUy have fixed kx^ 

6 the chip selects 140.141.142,143.144.145.146, and any other additional selea lines to may be included to access 

7 oto secure device irayadyte 

8 chjpalectscmgir^fromwithmarttem^ 

9 thJs area from n^-systm (user) r^ograrm 

10 fim address of an rr^ticit arid corrrpare 

11 ^^147. This address blcxi is rireferablyprograr^ 

12 however, there will be a known default on reset of the secure imcroprocessor 20. As an added precaution it is 

13 preferable to latch the first adtlress erf tte peceding instruction and do a similar corrrparison. Tnis requires any 

14 instruction that attempts access to secure functions in this part of the address map to have originated in secure 

15 systmrarrujryaiidtheir^^ 

16 airog^thatnuvbeexecutingwiibJnasecure 

17 cxmriierrf the secure nncrcproce^ 

18 address of the first instruction may be determined by iraJuding in the microcode of secure rrucrorjrocessor 20 the 

19 generation of a signal to indicate to u is the first address of the instruction (this may already be the case). The 

20 program counter contents may also be latched. Chip select 147 from decoder 25 delineates the block of memory 

21 aUocated to secure system functions^ it jmrn« to an initialisation routme 

22 fa Ms memory. The size of this memory is preferably variable to accommodate changing circumstances. Tins is 

23 usuaUyo^byprogranm^e boundary register 160. to are selected by chip selea 161. One boundary is usually 

24 fixed at tte top of tne available address sr.ace.Tte 

25 provided to its address "mrmKors. Tl»» m 

26 tte same precautions as regards checking the origin of the instruction as described for 140, 142, etc Chip select 147 

27 decodes the secure system memory. This preferably has the same remurements for two sequential instructions to 

28 r^OTgmatedmsecm^systCTmemo^ 

29 reset me latere tostoretneaa^ses of tbe two r^ 

30 sWnmwy.Tmsenahleslte 

31 provides a method for a user routine to transfer processtag back 

32 function may write to an addressable location mat generates a user interrupt 180; the system functions may then 

33 interact in any predeterrnined manner to meet the requirements of the user function. The balance of the secure 

34 memory is allocated to various user functions. In a multitasking UCDPS. this is preferably partitioned into multiple 

35 userpartitions. The preferred method is to have cine or inultfete sets cfa^ 170. to may only 

36 beimgrammed by secure «y»ttm flmcdoiis dewdfag select 17^ 

37 to the decode logic 25 to define the current user partition, to is decoded with chip selea 148. This permits the 

38 a«le userpartitions to be divided on a totally flexible basis as required. When processing transfers from one 

39 user partition to another, the secure system functions reprogram the appropriate values. When processing is 

40 transferred to a user partition no addresses are decoded outside this partition to prevent a user function 
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1 compromising tte system 

2 to an address outsit the uasrpanliion,U will not be decoded and the iiscrl^onwm usuaUy crash, In case of a 

3 crash wimin one cftte user parting a watcho^ 

4 predetermined period. This is preferably a programmable period that may also be used to task switch secure 

5 processes in a rrnilritasktn g errvironmenL Prior to transferring processing to the user partition, the secure 

6 inicronrocessor 20 registers are preferably stacked and cleared of sensitive informarion and or the registers are 

7 duplicated. The dual port memory is decoded by chip select 150. The secure nncroprocessor 20 may also generate at 

8 least one interrupt 195 to the system microprocessor that directs the system microprocessor to an interrupt routine in 

9 dual port memory and or any suitable location. This location is preferably read only to the system microprocessor 

10 and may be read and written by the secure rracroprocessor 20. This interrupt may bypass any normal interrupts 

11 generated by the UCDPS to the system microprocessor and be processed transparently to the operating system. See 

12 known art US Patent 5274834. It may be used for any reason in particular to direct the system rdcroprocesscr to 

13 perform various functions within the UCDPS transparently to the UCDPS operating system. An interrupt may also 

14 te generated by ttesystmmicrcpxxxssOT 

15 20 are preferably specific to a particular soufcewimsuffidenttatemrptlin^ 
16 

17 Within the secure system memory is an area of masked ROM 51 that is usually a fixed amount, usually a fixed 

18 amount of flash memory 52 for storing information mat survives total loss of power, and usually a variable amount 

19 of battery backed static memory 53 that securely stores secret system programs arid This information may be 

20 lost in part or whole, due to accidental reasons, e.g. a fiat bauery (preferably rechargeable), or by activation of one or 

21 multiple tamper detect systems and or failure to comply with the conditions attached to using the SPD and or any 

22 other reason. System memory and user memory 54 is described later. Part at least of 53 and or 54 may be replaced 

23 by dynamic memory to provide greater memory density. This may particularly apply to secure system functions 

24 loaded from external sources as required, and user functions loaded as pan of a PSO executing and or any other 

25 external information transferred as required. 
26 

27 Secure Syste m Functions: 

28 The system memory of an SPD must be preprogrammed with certain key programs and data prior to shipping to a 

29 user (usually as part of a UCDPS). This should be done in a secure errvirortrnent, using secure methods, and is 

30 preferably completed during the rriarnuactining process. The service provider keeps a record of part at least of the 

31 informatian within each SPD. Oox this key iitfoniian^ 

32 programs and or data may be suitably encrypted by the service provider and transferred to a user's SPD (usually 

33 while within their UCDPS) using methods that maintain the security of the information. The suitably encrypted 

34 information is rirogrammed into the system and or user memory of the SPD on a temporary or permanent basis, and 

35 in marry cases this will be a transparent, <ryrarnic process that occurs during the execution of various computer 

36 prograrns, particularly PSOs. TrusmetiiodaUowsalinostarry tyr^ 

37 stored within the system memory, and or allows various prograrns to be loaded to update and or modify existing 

38 system nmctions and or any other rransfer of informant for any reason. 
39 
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1 Secure system functions are those functions applicable to the correct operation of the SPD and the provision of 

2 required resotnresuj multiple secure user to 

3 PSO loaded into memory of the UCDPS that requires d* SPD arrf system funto 

4 operation. Secure user functions are usually an integral part of. or integrally linked with, a particular PSO and 

5 loaded into the SPD as required. A PSO thai is supplied by the service provider to securely update secure system 

6 fuotioM would usually actasasecure user fur^ 
7 

i 

8 The preferred SPD consists of the following: 
9 

10 l-Itproviteatampe^^ 

11 including pnrmpts at analysing or tampering wuh one or multiple secret processes that may be occurring within said 

12 tamrwprccferivmHin^ 

13 known an to monitor the maintenance of the integrity of said secure packaging, together with a method of rapidly 

14 invalidating the contents should interference with the package be detected. As the preferred embodiment of the 

15 invention stores seottirrfcm^ whether or not the UCDPS is active, part or all of the tamper 

16 ceteaarxic^iiwaUdajtag^ 

18 powered and periodically awakened from a low power sleep mode to perform one or multiple houskeeping 

19 function iratfudlngmonitori^ 
20 

21 Secret information that may carorormse the secure nature of multiple other SPDs is preferably stored in battery 

22 backed Static RAM (SRAM), a storage medium that may be rapidly invalidated by removal of power and or by a 

23 specially created subroutine that cycles through the memory changing values and or a specially designed cascade 

24 system that triggers automatic invalidations of static memory storage elements as is known to the an (reference 

25 Dallas Semicraxiuctors Secure Microcontrollers). The invention allows for any known method and apparatus cf 

26 detecting physical tampering with the SPD and allows for any method and apparatus of invalidating secret 

27 Information in any type of memory storage device. 
28 

29 Secret infamarJon that is only likely to compromise the security of a particular SPD may be stored in SRAM, 

30 rmwever.irforrr^tbatsric^ SRAM is preferably stored in non- 

31 volatile locations. Wrjen this iirfw 

32 «Jurse(rf<3penitionoftheS^^ 

33 raruirealteratira after irtitial programme 
34 

35 formation not requiring secrecy (as far as practical) and that is consistent across multiple SPDs is preferably 

36 implemented in mask ROM during the mamifacture of the SPD. This usually includes fa^ii— y routines to 

37 program other irrformation into the SPD. When obstructing an SPD that is not within the system CPU, the CPU 

38 chosen for the SPD will usually already have a boot or mulalisation routine embedded within. Those experienced in 

39 the an will appreciate that information stored as masked ROM inside an integrated circuit (IQ package may be 

40 analysed, however, this is usually with great difficulty. 
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1 

2 Where certain unique features are required in each SPD at the time of manufacture and secrecy (as far as practical) 

3 is not essential, they are preferably implemented by laser programming of masked dements. This usually applies to 

4 one or multiple passwords that are applicable to a particular SPD. 
5 

6 The secret processing device (SPD) is a device that is not practical to tamper with. This device contains various 

7 secure functions that may perform useful functions for suitably configured software objects. It also provides various 

8 secure tunct ions that permit a provider of protected software objects, referred to as service provider, to create an 

9 effective methc4 cf rentimj software 

10 discussed. The method is secure from the perspective of the producer of the software object and provides a 

11 convenie n t m earaftrapoter^ 
12 

13 Tne invention allows that attempts may be made to physically tamper with the SPD. This may be for any reason, 

14 including the unauthorised extraction of secure information from the SPD. Secure system tamper detect tractions, 

15 using any method and apparatus, may be used to detect tampering and or to take direct (mat preferably includes 

16 immediately erasing and or altering mfomation within pan or all secure storage devices) and or mdirect (e.g. via 

17 error functions) action in the event of tampering. Pan of the tamper detect functions allow for any method and 

18 apparatus, referenced as secure system contmuity functions to confirm that one or multiple of any tanrperproof 

19 mechanisms remain intact. One method is to include bkiirectionai logic at each end (or any other location) of the 

20 various signal lines to check for continuity of signal traces and ot ftjrtctioning of attached logic elements in those 

2 1 instances where the normal function does not permit this . Ibis bidirectional logic is usually connected, directly and 

22 or mdirectly, to addressable elements under the control of suitable software routines. Tne invention also allows for 

23 any method and apparatus to detect loss of clock to the realtime dockfcalendar and or any one or multiple other 

24 clocked elements, including routines that periodically read these clocked devices (directly and or mdirectly) to 

25 ensure that there are the expect^ iiicrementai changes secondary to an active clock. It is preferable that pan or all of 

26 the tamper detect mechanisms remain functional when the system power supply is removed. Tnis may include using 

27 battery power to maintain one or multiple micrcprocessors within the device in an operational mode, enabling them 

28 to execute various system functions. Loss of battery voltage below a predetennined threshold (as detected by an 

29 integrated A/D converter) may trigger the erasure of part or all secure elements. It is preferable that an independently 

30 timed function is implemented (e.g. RC network) that must be periodically refreshed by one or multiple 

31 microprocessor. Tmscor^ 

32 usually cause a default erasure and or alteration of secure storage elements. 
33 

34 Tne invention allows that various errors and or validity failures and or any processing error and or any other event 

35 may be recorded by secure system error monitoring routines (usually implemented within secure system memory). 

36 These may perform any functions, thai may include: 

37 recording abnormal events; and 

38 in response to a predetennined number and or types of abnormal events (and or any other reason) take one or 

39 multiple actions (that may be any action, induding calling other functions to partially or totally disable the device); 

40 and or 
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1 return processing to the system CPU (with or without error reporting). 
2 

3 Therenmyteaiiequiremmto 

4 be integrated within (eg. system CPU). The functions to perform this are referenced as secure system disable 

5 functions md they may be impl including: 

6 the generation of various clocks (and or any other meaningful signals) that trigger immediate erasure of volatile 

7 elements; and or 

8 setting/dearing of flags (preferably in non-volatile locations) that may be read by various other functions that will 

9 notconriiiae(and«a^otheroateome)mto 
10 

11 THe invention also allows for any method and apparatus tha may termwn^yprw 

12 disable functions. Tlusrnayta for any reason to 

13 functions during software development. The irrvattion allows for any method and apparatus that prevents 

14 infringement of system security when the disable functions are in pan or whole temporarily inactive. 
!5 

16 2. It provides one or multiple blocks of memory arranged in a manner that prevents unauthorised analysis of the 

17 «mter^ (rf such memory urJessii^^ 

18 or all of the memory contains information that is not secret. 
19 

20 The memory blocks may use any types of memory storage device, m any mix and combination. There are preferred 

21 types of memory storage devices to meet the xequiiements of specific functions. 
22 

23 Tteprirr^ purpose of secure memo^ with a secure method 

24 ofprocessmgrrffflrnadOTwi^ 

25 external locations, allows certam secret processes m cccur ar^ or information to be securely stored. 

26 The processing of information within secure memory may include the use of any mix of secure and unsecure 

27 programs and or data, and any interaction with resources that are external to the SPD. 
28 

29 An SPD usually has one or multiple blocks of memory storage devices that may consist of any type and combination 

30 of memory storage devices arranged to make it not practical for urantborised parties to analyse the values stored 

31 within part or all of said memory storage devices. 
32 

33 The memory storage devices preferably: 
34 

35 (a) include one or multiple blocks of Static RAM that are made nonvolatile by connection to a non<lisraptable 

36 power source that is preferably a rechargeable battery integrated into the device and or in enclosure, and or a 

37 rechargeable battery extend to ^ 

38 tbjttstouMusuaUybcmvalio^ device, and said Static RAM is preferably 

39 connected directly and or Indirectly with one or multiple methods and apparatus to detect said tampering and 

40 invalidate and or activate irrvaliaation, of pan or all of said secret information as a result of said tanrpering. The 
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1 invention also allows far the inclusion of any method and apparatus to invalidate in part or all secret information 

2 stored within said static RAM for any other reason. This memory usually stores: 

3 (i) secret system functions impl e m en t ed at least in pan as software routings, that need m trmfafrmwrf in ^rriry 

4 (as far as practical) ami that canro^ 

5 required. An example of this may be the master decryption algorithm and or keys, if this was loaded tan an 

6 external location it may be analysed and used to break 

7 decryption algorithms may be possible as long as sufficent function Is kept securely within the SPD. Said sufficient 

8 function may in pan or whole be a hardware implementation of a decryption algorithm. 

9 (ii) information thm may or may not need to be secret that is required to correctly interfcee with externally available 

10 information, this may wnflvte the loading of other information. 

11 (Ui) infonnation that it is determined, for any reason should be within tha SPn on « mnrmii^i 

12 (iv) information that is loaded from external resources. This may include additional secure system ftmctions loaded 

13 in encrypted format and subsequently decrypted and may include appropriately encrypted objects supplied by an 

14 authorised parry to modify information within the SPD. 
15 

1 6 The information described in (i) f (ii), (iii) and (iv) constitutes part of die secure system functions (53 of figure 3) and 

17 consists of information that is known to be available within, or able to be loaded within, the device when required to 

18 perform the functions that are an integral part of the SPD. System functions are also known to have been carcfoUy 

19 prepared and scrutinised 

20 information within the SPD. Those secure system functions that are loaded into the SPD in encrypted format usually 

21 have tamperproof val^ processes integrated into their structure to ensure the validity of the information 

22 prior to associating it with other secure system functions. That pm of ^ 

23 functions is referenced as secure system memory. 
24 

25 (v) other information that may be loaded into the battery backed SRA^ 

26 functions (54 of figure 3). These are usually software objects supplied by various producers that have a requirement 

27 for interaction with the SPD. They usually require appropriate conversion of the software object by an authorised 

28 service provider to one that may 

29 protected software object or PSO. A PSO is usually encrypted and preferably has appropriate validity checking 

30 mnrhanism s included to ensure that the information is as supplied by the service provider. Those pans of the PSO 

31 that are to be transferred to locations within the SPD, whether data and or computer instructions, are referenced as 

32 secure user functions* hi ap pl icati o ns where this information is data that is to be processed securely using secure 

33 system functions, accidental and or deliberate tampering with the data usually has no potential unwelcome 

34 consequences within the SPD as the processing is performed by known processes. 
35 

36 (b) static RAM (SRAM) that is not battery backed and or dynamic memory may be used to secure system functions 

37 described in the preceding (a) part (iv), and or secure user functions in (a) part (v), and or any other information 

38 loaded into the SPD. 
39 
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1 M^^of programing 

2 preferably includes one or multiple blocks of intrinsically non-volatile and reprograrnmable memory eg. flash 

3 memory and or EEROM, including any required «)rnponentry to support programming, erasure and reprogramming 

4 of said flash memory and or EEROM. Particular applications of this area are the storage of information that should 

5 survive an erasure of SRAM for any reason, including accidental erasure. One of the features of the SPD is its 

6 ^^ty.wifc appropriate software 

7 «^Wonnation stored cxBmaUy.prrf 

8 n^evableiftteSRAMcc*^ 

9 suitaWyprot^tedrcutmern^^ 

10 with externally encrypted information as the decryption key is inaccessible and may be varied every time. 

12 <<Dto^«*«m«mplebtocto^ 

13 memory storage devices and said mask ROM preferably includes an area that may be customised to create unique 

14 information for each device, one method of aisumu^ 

15 program data into other storage devices. 
16 

17 The current system functions within an SPD preferably have a version number stored in an externally accessible 

18 location, eg. dual port memory 19 erf figure 1 that rnay be read by to er^ the 

19 resources to meet the requirements of the PSO. 
20 

21 3. h provides at least cme secure mi^^ 

22 addressable fimctfo^^^ 

23 address space of the secure inicroproces^ 

24 reads and or writes arrit* processes, mpm or whole, ^ 
25 

26 Tl* secure rnicropoce^ 

27 The rx^soura is usuaUy shared wimto 

28 *> 

29 Itisrjreferabtethmtheresetlmeatitneseciire 

30 it wpetform error checking mtaten^ 

31 UCDPS. 
32 

33 The secure imcropnx^tm reset (arui a 

34 perform Prions hxistoeptag duties 

35 te reading of cacffnmltiplcappropr^ 

36 indiit^y written to by tte system rr^ 

37 anyoaecrnmitipiewberrtincti^ 
38 

39 A.TteSPDpredomir^yisasecw 

40 mpmw whole is generated (iruAjdir^ by 
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1 means of transfming inform 

2 remain secret This entails two basic requirements: 
3 

4 (a) The provision of one or multiple physical interfaces between SPD and sources of information. The invention 

5 allows for any known interface. This includes information that is transferred via the bus erf the UCDPS, that is the 

6 usual method when the software objects using the SPD are executing and or being processed by the system 

7 microrjrocessor, and or information entering through one or multiple ports that may be read by the secure 

8 microprocessor and or any other function within the SPD. 
9 

0 The preferred iiiter^ 

1 dual port memray 19, latere and or registm ( 

2 secure microprocessor to have direct access to the address bus of the UCDPS and move ^formation under 

3 programmed control and or by direct memory access (DMA)* 
4 

5 (b) a method for the SPD and UCDPS to determine which locations have valid information and a method of acting 

16 on mis informanon. The information may be cornmands and or programs requiring execution and or data for any 

7 reason and or any other information. This is a function of the secure system functions and specifically those 

8 referenced as secure system I/O functions. They require similar processes to those provided by any operating system 

9 and are within the expertise of those experienced in the art of writing operating systems. Moreover, as the SPD 

20 includes functions to load and execute externally supplied software objects that may securely modify the various 

21 secure system funoiorts, nwre flw 

22 system in memory that is not easily modified. 
23 

24 The preferred embodiments of the invention provide a dual port memory 19 mat is accessible by the secure 

25 nticroprocessoraridte 

26 programmable) as previously described with reference to Figures 1 and 3. 

27 

28 The iiext pan of me description may be be^ 
29 

30 A system port structure 199 is established that may have one or multiple addresses which the system microprocessor 

31 writes to, referenced as system c«nmandm 

32 as system commawi outpw rjm 

33 these are usually part of a block of memory, they may be dyrjarnically reconfigured by appropriate interaction 

34 between system microprocessor 1 and se^ 

locations ffifl or the 

35 number of addresses constituting a port It is preferable to have a system input data port 202 for the transfer <tf 

36 irfonna&toototo 

37 from SPD to UCDPS. In the case of dual port memory a large block of addresses may be allocated for ajn^ximmand 

38 irtformation and the addresses and sizes may be dynamicaUy configurecL The actual aUocation of input and output 
,39 P«TSi$r^erablyafurjctira 

40 betteonlyhuerfac^ inclusion of a DMA channel 125 on the SPD is the preferred method of moving 
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1 large bkxks of inf onnanon in and out of the secure memory 53, 54 of the SPD. Address and control lines 220 and 

2 data lines 221 from the DMA controller 125 are multiplexed with similar signals from system microprocessor 230 

3 are multiplexed in 235 for interface with external memory. Address and comrol lines 222 and data llines 223 are 

4 multiplexed (not shown) with similar signals from secure microprocessor 20 for transferring mfcmnation to and from 

5 secure memory 53 and 54. 
6 

7 The irwention also allows for the SPD to handle the requirements of multiple PSCte to a mum taskmg errvinmmem 

8 and that the system command and data ports as described may be sufficient if the UCDPS ctperetmg system is 

9 modified to send a command to an ar^ropriate location in a cornmand port to instruct the SPD of a task change and 

10 does not proceed until the command is acknowledged. 
11 

12 Ptfemtl method is to use the system command and data ports for establishing certain parameters within the 

13 SPD when a PSO first requires access to the SPD. The PSO would usually send mfonnation requesting a user 

14 partition 54 of Figure 3 and a user port structure 205 of Figure 4. The SPD would usually respond with availability 

15 of this memory and dyrarnically configure a user command toput port 206 and or user cornmand output port 207 

16 and cr user ir^Mt data port 2W art cr user ^ 

17 location in Its own address space and directs all commands and other irrfennation to and from these user ports until 

18 Wherwise apfjropriate. A multitasking kernel within secure system functions is preferably responsible for such pan 

19 configuration as part cf its functions. Additional PSOs create there own user ports, e.g. 210 and 215 of Figure 4. The 

20 space used by these ports is reallocated when a software object terminates interaction with the SPD. Any one or 

21 multiple user ports may be dynamically reconfigured as raniired while stiU in use with a particular PSO. This 

22 process permits the SPD to be transparent to the UCDPS task handter. 
23 

24 5. Secure Systran and Secure User Partitions: 

25 If the SPD is to provide any useful processing of taformation supplied, it requires a method of transferring 

26 inftronauon into secure areas where it may be further processed. As described, a potential unsecure process is 

27 introduced into an SPD once the facility is provided to load externally supplied information into secure memory that 

28 in part or whole consists of executable code. PSOs that are to modify the secure system functions are usually 

29 provided by the service provider from software objects in their comrol and the security is good. When a PSO is 

30 produced by a Producer, there can be no such guarantee of the integrity of the contained program code. The 

31 execution of this material may read nnormation from secure system functions and write it to external locations. In a 

32 multiuser system, it may also comrjromise information relevant to another PSO. 
33 

34 The preferred method is to partition the available secure memory into parititions as previously described that 

35 includes a system partition and one or multiple user partitions. Programs withto a system partition may access any 

36 sector merfleorywia^. Program 

37 using dual latching <rf instruction sources as previously described. This protects system integrity and the integrity of 

38 one user partition from any other. An alternative is to perform this function with software, by checking that each 

39 mstruction executing within a particular user partition is not intended to make an "™vrt mrhtfd access to system 
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1 memory and or other user memory. Another solution would be to allocate a separate microprocessor to one or 

2 multiple user functions. 
3 

4 When the secure system kernel switches processing between user functions, it programs logic with the address 

5 boundaries of theonremuser partitira with an instruction. A separate user partition is allocaied to 

6 each user function. 
7 

8 Tnemvention allows fey any memc^ ^ m 

9 unauthorised manner, secure infonnation within system partitions and or other secure user partitions. Hie method 

10 does allow valid transfers of processing across system and user functions. 

11 It is preferable that the size of the partition 
12 

13 6. initial Programming, Reprogramming and Erasure of secret information; 

14 The invention allows for secure system initialisation functions (SSIF) that may use any method and apparatus to 

15 initially program secure system functions into secure locations within the SPD, preferably into battery backed static 

16 RAM. This usually occurs prior to release of the SPD from a secure environment The SSIF are part of the secure 

17 system functions, however, they include information that it preferably not made public, however, the invention is not 

18 cconpromised should this occur. For this reason they are suitable for use in mask ROM. Any other secure system 

19 functions may be included into mask ROM, however, this is not the preferred location for any information of a 

20 sensitive nature. It addition to security factors, the inclusion of the majority of secure system functions in 

21 reprogrammable storage elements allows them to be readily updated. The invention allows that that the SSIF may 

22 be used later to erase and a mtxliry^ allows that part or 

23 all of the functions within the SSIF may be called by other secure functions as pan of the normal operation of the 

24 SPD. For example the routines to load information from external locations and to program information into flash 

25 memory have obvious multiple uses. Certain provisions within the SSIF should only be capable of use when it is 

26 known that secure information within the device is invalid. 
27 

28 The preferred method and apparatus is to store the Secure System Initilialisation Functions within (preferably 

29 secure) storage locations prior to encapsulation (that may be the package of an IC and or any other additional 

30 packaging) of the device at the time of manufac ture. As a minimum, the SSIF information included within the 

31 device at the time of manufac ture should be sufficient to load and or program other information into the device and 

32 where necessary initiate processing of said other information. This provides an SPD that may men modify itself as 

33 required. Said other infcraiatian may be any information and may include additions to the SSIF not included at 

34 inanufacture. Tbe storage locations should retain SSIF functions (in pan or whole) when other infonnation within 

35 the device is erased for any reason. The SSIF may include any required support hardware to program particular 

36 storage devices, eg. charge pumps and or supply c€ spedal voltages and or timers and or glass windows to erase 

37 EPROM. The SSIF is usually implemented within secure memory (that is preferably mask ROM, however, it may 

38 be any suitable type of storage a 
39 

40 to respond to a command to activate one or multiple SSIF functions (and or any other mccreary r^m^Q) ; <mH r* 
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1 to retrieve externally supplied 

2 and to program pan or all of this Monnarion and or any other infonna^ 

3 to finish programming; and or 

4 to verify that the programmed information is error free; and or 

5 to terminate the process such thm various appUc^leftmctio^ 

6 to direct processing to pan of the information that has been programmed (and or otherwise initiate access to this 

7 information). 
8 

9 Cite ability to load information and subsequently direct processing to this information is a key aspect of die 

0 invention. With the addition of a suitable decryption method within the SPD, the SPD may load encrypted 

1 information, decrypt this information and then direct processing to said decrypted information. The addition of 

2 routines to pass information back to external locations completes the process. These functions are described in detail 

3 later). 
4 

5 The SSIFand any subsequent secure system functions may load information from any relevant external location to 

6 assist the process and or may call routines within external locations to assist the process. 
7 

8 Any SSIFfiuictionthata^ it is preferable that this 

19 occure) may use any method and ap 

20 being able to access secret information. The prefored method flags a ram-volatile programable location once the 

21 readback process is compete in a manner that (k^ 

22 preferred method to prevent the flag renmining clear tote 

23 that times after a predetermine 

24 a flip flop. It is referable said flag can only be cleared after secure storage elements have been erased and or 

25 otherwise suitably modified. This is not a function that should be available in unsecure environments. 
26 

27 Disclosure of the information constituting the actual SSIF is unlikely to jeopardise the security of other secret 

28 information, however, it is preferable that unauthorised parties are prevented from initialising and or erasing and or 

29 reprogiainining the device and any method and apparatus may be used to implement this. It is preferable that these 

30 processes are password protected (using any password system) n pinc t wnymthoriml use. 
31 

32 One method of implementing SSIF would be to serially doc* the required information into the device via latches 

33 (that may require a certain predetermined sequence to activate the process) . This may not require any predetermined 

34 software routines within the device. 
35 

36 Hie referred method uses a secure software routine executing from within secure ROM that uses the Timed 

37 Password Access process described below to activate programs that perform the functions previously described for a 

38 SSIF, transferring the relevant externally supplied (and usually secret) information to the relevant internal storage 

39 devices and subsequently initiating processing of this infonnaticm. 
40 
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1 Trie actual method of programming information into the storage devices will depend on the type of storage device 

2 and may use any known method. 

3 

4 The timed password access method makes it unlikely that the password protection will be defeated, while retaining 

5 functioxiaUty for those parties with there 

6 at programming and or deliberate attempts to inactivate the device (eg. computer viruses). This contrasts with 

7 password systems that permanently inactivate the process after a predetermined number of attempts, possibly 

8 preventing further progiamming of the device by g^hprisfd parties. 
9 

10 The invention allows that a r*eferably unique password is programmed (usually as part of SSIF) into each device. 

11 .Without access to this unique passwonl the r^obabh^ 
12 

13 In an SPD integrated within a system microprocessor, particularly one with multiple znicroprocessors within, the 

14 SSIF may reside in memory locations exclusive to one of the on chip CPUs and be transferred where necessary, 

15 using any internal mechanisms (including software), to any required storage devices; and or 

16 may be loaded into memory locations shared by multiple CPU's within the package; 
17 

18 and or may be loaded into multiple locations, each location of which is exclusive to a particular CPU within the 

19 device. 
20 

21 The invention allows that only one CPU or a subset of available CPU's may load information for other CPU's, and 

22 or that particular CPU's load information for their own use. 
23 

24 Hie preferred method of activating the SSIF functions when the SPD is within the system microprocessor is to load 

25 the password into one or multiple CPU registers and execute a specially created instruction that that activates SSIF 

26 to read the password and continue as appropriate. An alternative is to include the functions that detect and process 

27 the post instruction symbol stream as described later. 
28 

29 The timed password access (also referenced as TPA) may use any method and apparatus. It prevents any practical 

30 gain from attempting unauthorised access to any particular password protected event It is based on a password of 

31 such complexity that in practice it would take such a long time to try all the permutations that it is not practical to 

32 gain access to the protected event Said complexity is assisted by incorporating a delay nwhfln^ restricts the 

33 frequency of attempted access. Said delay may be variable for any reason (e.g. to allow for legitimate errors) and 

34 may be created using any method including software loops and or physical delays. Hie delay may be a hieracincal 

35 system that includes different delays depending on the number of incorrect attempts at access. It is preferable that 

36 said delay is unaffected by pwering down of the device 

delay ffiwhfwijRmg 

37 One method and apparatus consists of the following steps: 

38 a) create one or rnore password keys that m 

39 b) create a means to store a cumulative count in a device that is reprogrammable and preferably non-volatile. 
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1 c) create a means to generate a known time interval. Tne invention allows for embodiments allowing a variable 

2 interval this is most readily achieved by a software loop. 

3 d)createameanstomputapassw^ 

4 to the relevant routines. 

5 e)crea»aineaiutoiimm 

6 f) user activates d) and e) including transferring password and target function to the process. 

7 g) check the value in cumulative count in b). 

8 h) if less than certain predetermined value then go to step j) else proceed. 

9 i)invokec) to generate time delay. 

10 j) increment the value in b). 

11 k) canto step j) has occmred if 

12 l)mput password usmgd)fflid<»^ go to step o), else proceed. 

13 ra) set flag in external memory to incUcate faMed attempt m calu^ program. 

14 n) exit, to try again enter at f). Of predetermined count above c) 

15 encountered every time), 

16 o) clear flag in external memory to indicate success. 

17 p) proceed with called process. 

18 q) return to external memory when finished. 

19 Note: for passwords that protect access to processes that are implemented after destruction or alteration of erasable 

20 areas, software routines and associated key codes shouW be st^ 

21 The advantage of TPA over a limited number of attempts mat then blocks the system, is that it prevents the 

22 acoo^ntalandordeUberate 

23 methods. 
24 

25 E lCCttmic Signature; One or more processes during manufacture and or initial programming and or normal 

26 operation the invention n^ 

27 to a particular group of PCPUs and orESPDs (for any reason, including for example, referencing a secure database 

28 to determine a password to activate the initialisation program described above). This may be done by any method 

29 known to the an including physical markings on the outside of the CPU package, however, the iirvention allows for 

30 (me or multiple serial numbers and or any other klentifying symbols to be included within the device, usually at the 

31 time of manufacture. These are amenable to retrieval under program control and or any other form of automatic 

32 process using any method and apparatus. This provides an automatic method of uniquely identifying a particular 

33 device and or group of devices. This is referenced as an electronic signature and is usually included as part of the 

34 SSIF. Said one or multiple electronic signatures may be transferred to an external location using any method and 

35 apparatus and used by an authorised par^ 

36 or far any other reason). Hie preferred method when the device is a PCPU is to create a specific instruction that 

37 when exec ut ed stores said serial number from a non-volatile storage location within SSIF to a predetermined CPU 

38 register. This process is usually accessible to anyone, although it may be protected by passwords and or any other 

39 method. For ESPDs the serial number is usually read from an addressable location within the ESPD by the system 

40 CPU. m the case of the ESPD described with reference to figure one, the secure system interface functions 
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1 programmed into flash memory 708 would include the electronic signature and when the microprocesor 707 is first 

2 activated by an interrupt on 73 1 after programming of ggjd secure system <rri t ' fll igflr fo n functions* a routine would 

3 transfer the electronic signature to a predetermined location in the dual port memory 704, where it is accessible to 

4 the system microprocessor. 

5 

6 The invention allows that a secure system user password function may be included within one or multiple FCPUs 

7 and or one or multiple ESPDs and this may be required to activate part and or all of to invention. In the case of a 

8 system CPU it may also be required to enable the normal processing functions of the device, providing a secure 

9 method of stopping unauthorised use of the UCDPS containing said system CPU. Any method and apparatus may 

10 be used to implement this function* The usual presence of programable memoy and programable non-volatile 

11 storage elements provide for a plurality of methods. The invention allows for a multi-tiered password system. The 

12 prefened embodiment is a time based password system (as discussed elsewhere) that resides in secure system 

13 memory and activates routines that reverse various locks placed on pan or all of the device. 
14 

15 The password functions usually include routines to disable pan or all of the device in response to a specific 

16 command, a method that requires the user to specifically disable the SPD, and preferably requires entry of the correct 

17 password; and or functions (usually implemented in hardware) that disable part or all of the device in response to 

18 reset and or power down and or any other criteria including automatic timeout (preferably programable), the 

19 password processing system is not usually disabled; these functions automatically disable the SFD and or otter 

20 applicable devices and require the correct password to reactivate the SPD and or other applicable devices. 
21 

22 The pass word(s) is usually stored in secure non-volatile system memory. The device may be shipped to me user with 

23 a known default password and or the password system disabled. Entry to the password system may use any method. 

24 m the case of a PCPU this may include use of a special instruction and or a suitable Post Instruction Symbol Stream 

25 (PISS). In the case of a ESPD it may involve passing cnmmqnfo using one or multiple methods as described 

26 elsewhere in this application, usually by writing and or reading predetermined address locations. A user accessing 

27 the device with the correct password may be able to change passwords. 
28 

29 The password system is usually constructed to allow the service provider to reinitiate or disable said password 

30 system by supplying an appropriate software object, preferably a PSO. 
31 

32 The inclusion of at least one unique and secure code within each device together with other suitable support 

33 resources allows a plurality of methods of secure information transfers to be established between an information 

34 provider with access to the secure contents of the device, and or provides for the secure transfer of information in the 

35 reverse direction, and or permits information to be specifically encrypted for a particular secure system. These are 

36 referenced as system local code functions and they assist the implementation of multiple secure applications, 

37 including the secure transfer of information to a device that can verify the source and or validity of the iiifonnation, 

38 and or the secure supply of information from a particular device that the can be verified for validity and source by an 

39 information receiver (with access to the secure information within the originating secure system CPU); this may be 

40 used for any reason including secure communications and or the secure transfer of electronic funds. 
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1 

2 The inclusion of one or mulnple system group code fimraons thai are identical 

3 (e^. those destined for the same country) may be used for any reason. This may include the reariction of certain 

4 PSOs to particular group codes. One or multiple group codes may be common to all SPDs. The invention allows that 

5 part or all of group codes may be user programmable and or password protected. This may allow, for example, 

6 parents to restrict childrens access to particular PSQs. 

7 

8 The secure local and or group codes may be data and or actual coinputer instructions. 
9 

0 The effectiveness of the software distribution system farming pan of this application is partly dependent on a service 

1 provider having access to secure information within each SPD and that some of this information is common to 
12 multiple SPDs enabling creation of PSOs that have general application, and that some mformaoon is specific to a 
,3 particular SPD. 

.4 

5 The ir*lurim of secure system 

6 information suppUed to te^ 

7 generated secure systmfuncuc^ 

8 include: 

9 commence execution of internal programs from any source; and or 

20 pass data received from external sources to internal functions; mrt ry 

21 receive a request from internal fimctionstotransfisprocessmgback^ 

22 accept data from internal functions for mnfer to a location readable by tte 

23 jrovide a aimriiand structure within the SPD to co-ordinate other system functions and, where appropriate, interact 

24 with secure user functions; and or 

25 where applicable, coKirdinaie interaction with realtime decryption processes; and or 

26 any other required function. 
27 

28 The invention allows for any method that permits an SPD to monitor a PSO as it is executed in order to detect 

29 various specially constructed process transfer instructions and or other suitable markers that indicate that interaction 

30 with the SPD is required. This particularly applies to a PCPU, where the method usually involves the transfer of 

31 processing from external unsecure memory to internal secure locations for continued processing by the system 

32 rmcroprocessor using secure methods and or by other embedded microprocessors (that may include other system 

33 nricrcpwctssors,arJ or the activation of realtilM 
34 

35 The process transfer instruction may inherently direct external programs to the appropriate internal function or may 

36 require a post tastrnction symbol stream as described with reference to the preferred «nhnHim»nt 
in 

Secure system command functions also include any functions to transfer processing back to the appropriate PSO. 



37 
38 
39 



Page 32 



SUBSTITUTE SHEET (RULE 26) 



WO 97/25675 PCT/AU97/00010 

1 The secure system command function should be structured so that entry to secure system functions is in a regulated 

2 manner. This is readily achieved far an ESPD where interfacing may be directed to a limited number of addressable 

3 locations that may have various validity checking performed on the data. Hie process is mm complex for a PGPU 

4 and described in more detail with reference to a PCPU. 
5 

6 An important function of secure system command functions is to direct the decryption of incoming encrypted 

7 infor mation , direct the transfer of the decrypted information to a suitable location and where this decrypted 

8 information consists of computer mstructicms, direct execution to the relevant starting point in the decrypted program 

9 and provide any necessary support functions as said computer program is executed. When the incoming encrypted 

10 information is data this should be processed as required, which may include appropriately Unking it with any 

1 1 internal and or external programs and or data and or special purpose functions (e.g. the data may be used to 

12 configure programable logic, creating its own decryption engine) including a linked computer program also 

13 transferred in encrypted format The command functions also direct the return of execution and or data to external 

14 locations as required* 
15 

16 7. The invention also allows that one or multiple hardware devices within the SPD may actually be fabricated in part 

17 or whole from programmable logic devices. This particularly applies to encryption/decryption engines that may be 

18 dynamically engineered as required. The preferred type of programmable logic is that known to the art (refer to 

19 programmable gate arrays by Xylinix) using battery backed static memory to create the interconnections between 

20 various logic gates, as this may be rapidly erased if required The information to transfer this information to the 

21 wo^ammable logic elements is preferably via one nr multiply flridryyjMfiift lyaripn^ imd ic pryf^rp^Ty parallel data - 

22 Pan or all of such devices may need programming prior to leaving a secure location . 
23 

24 8. Secure Decryption, Secure Processing, Secure Decryption and Processing, Secure Processing of Information 

25 Unique to the SPD. The system functions should provide suitable software routines such that, when requested by 

26 appropriate commands, they perform a combination of functions that affect any combination of the following: 

27 • for the secure transfer of at least a portion of encrypted information constituting part or all of a software object 

28 from a location external to said physical device, to a location internal to said physical device, wherein said 

29 physical device securely decrypts part or all of said encrypted information within said physical device in 

30 conjunction and or subsequent to said transfer and 

31 • may initiate and securely process part or all of the ensuing decrypted information in conjunction and or 

32 subsequent to the decryption process and 

33 • may interact in any way with any other internal and or external information to correctly said process and may 

34 terminate said process as required and 

35 • said terminate may transfer data and or execution to any other internal and or external location, tnH^rting the 

36 external software object and 

37 • the preceding processes occur ina marmerthatnimirnto 

38 instructions axti or data; and or 
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1 • that i nc ludes computer instructions and or data securely pr o gram med within said physical device and a facility 

2 for an external software object to transfer processing to said computer instructions and or **** securely 

3 programmed within said physical device; and the capability of processing pan or all said securely programmed 

4 within in a secure manner, interacting in any way with any other internal and or external information to 

5 correctly said process and 

6 • may terminate said process as required and 

7 • said terminate may transfer data and or execution to any other internal and or external location, jnrjyrimg the 

8 external software object and 

9 • the pmcflding processes ncnir m a maimer thm minfmiw at » Ihninflffg analysis flf ffffCret jnfOPnqftrm; pn fl pr 

10 • with the capability of being suitably requested by an external software object to provide hifonnatkm securely 

11 stored within. 
12 

13 The secure system decryption/encryption functions (together with the necessary command functions to load 

14 encrypted information and or to execute, and or otherwise manipulate, the information decoded from this encrypted 

15 information, possibly in conjunction with clear code and or other decoded information) may *i*mi™t» the 

16 requirement to preload specific secure user functions into the device prior to supplying said device to a user, tn«te«fi 

1 7 each PSO may incl ude the secure user function as encrypted information included within the PSO supplied to a user, 

18 resulting in a device that can securely process part or all of a diversity of software objects. As suitable system 

19 command functions may be constructed to dynamically load blocks of encrypted information in and out of secure 

20 user (and or system) memory, much larger portions of encrypted information may be utilised as part of a software 

21 object than is the case with devices dependent on secure information preprogrammed into a limited amount of secure 

22 user (and or system) memory. 
23 

24 hi addition to decrypting and executing to 

25 that the device may securely add to and or edit secure system functions using a similar process. 
2 6 

27 The invention also allows for pan of the secure system functions to be loaded (usually in encrypted format) into the 

28 device from external storage each time a UCTPS is booted (and or on any other basis). 
29 

30 The security of the secure system routines and in particular secure system decryption routines stored within the SPD 

31 is pivotal to maintaining the security of processes using the device. The information within secure system functions 

32 must be protected to a level that makes it not practical to defeat and while any storage device may be used to retain 

33 the secure system functions within the device, the preferred method uses battery backed static memory. This can be 

34 rapidly erased in the event of tampering, and such a requirement particularly applies to any system functions that are 

35 stored in decoded format 
36 

37 Hie transfer of information from one location to another may result in transmission errors and the invention allows 

38 for secure system error detection functions that may use any known method and apparatus to detect and or correct 

39 these errors. 
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1 

2 As the usual location of the SPD is within the UCDPS, information that is to be transferred to the SPD may be 

3 accessible and deliberately modified, e.g. computer viruses and or attempts to reverse gn gmwpr the SFD. The 

4 invention allows for secure system validity checking functions, that may use any method and apparatus to verify that 

5 the information supplied to the SFD is as intended by the information provider, and or take any required actions that 

6 may include directly or indirectly (usually via secure system error monitoring routines) disabling pan or all of the 

7 SPD. Where applicable, this may include the erasure and or alteration of secure inforrnatiorL 
8 

9 The use of cyclic redundancy checking (or CRQ of inforrnation generated by a service provider and embedded 

10 within a PSO and then encrypted is one method of providing secure validity checking fiunctions. The reversal of this 

11 process in the SFD may use any combination of hardware and software methods. The process is well known to the 

12 art 
13 

14 9. Secure system decryptioo/encryption functions: The decryption functions may in part or whole be implemented in 

15 software to decrypt externally supplied and encrypted information using any known methods, inducing the ****** 

16 encryption standard. One or multiple hardware based encryption/decryption engines may pe rf orm the decryption, in 

17 pan or whole. Such an engine is one compatible with the Data Encryption Standard (DES). The method of using 

18 predetenmned processes located within the SPD to decrypt (and encrypt) information is re fe renced as the Standard 

19 Decryption Process in this application* Standard Decryption Processes may require the supply of various codes to 

20 function correctly. The original cryptography processes were developed for the secure c»inmunication of information 

21 between parties and they work well when this is the primary motive. When the purpose of encryption is to enable 

22 one party, in this case the producer, to encrypt inforrnation to protect it against unauthorised use, and the second 

23 party is a user who may prefer that the ferfonnation was not encrypted, then the original basis for secure 

24 cryptography changes, and the premise for security is based on the fact that said second party will receive 

25 information, however it will be difficult for them to access it in clear code. This has resulted in various specialised 

26 devices to decrypt information , As described this method does not provide a system that is 'not practical* to defeat. 

27 The Oscar method of secretly decrypting m$ t^tt^wmg mfnrrrtatiiTri provides a mrthod Tv>t practical \q rfc t > m 
28 

29 The capability of supplying an SPD with a PSO that can be made to perform any desired function within an SPD 

30 that is consistent with available resources and constraints of said SPD, allows said SFD to be dynamically mocfified 

31 to perform any function as required. This permits a PSO and or any other internal and or external function to actually 

32 request one or multiple decryption functions to be loaded into the SPD. Said decryption functions may include 

33 information that is used to dynamically manufacture a hardware decryption engine from progr amm able logic within 

34 said SPD. 
35 

36 The capability of significantly varying the decryption process, and or constructing hardware cipher engines from 

37 volatile electrical connections that cease to exist when subjected to analysis, and or dynamically engineering cipher 

38 engines to suit a PSO makes characterisation of the decryption process very difficult. The known an does sot 

39 describe such a method and apparatus, which this invention references as Dynamic Decryption in this application. 
40 
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1 By including one or multiple decryption processes within an actual PSO, the decryption process can become self 

2 modifying with the instructions of the actual PSO varying decryption parameters and or decryption algorithms and 

3 or installing, in part or whole, one or multiple new decryption algorithms during the rxocess of executing the PSO 

4 that arc further used to decrypt additional parts of the PSO. This may occur on multiple occasions, in any 

5 combination, during execution of the program. Hie key to this process is to include with the PSO a sub-routine that 

6 can be recognised and executed by functions within the SPD, and said sub-routine initiates the process of unlocking 

7 the subsequent encrypted material. Said sub-routine is encrypted using a process that is known to be reversible by 

8 functions within the SPD. Hie known art does not describe such a method and apparatus, which this invention 

9 references as Recursive Decryption in this application. 
10 

11 The decryption processes described are on the basis of encryption of information by a service provider with access to 

12 the secure information within multiple SPDs and the decryption of information in the target SPDs. PSOs may be 

13 encrypted for a specific SPD and or multiple SPDs. 
14 

15 The decryption processes described also may apply to the encryption of information tan an SPD to a service 

16 provider. The user has no knowledge of the encryption process and usually little knowledge of the clear code being 

17 encrypted. The process can be made even more secure by the service provider sending a one off encrypted encryption 

18 process to the SPD. This process will have multiple applications and is referred to as the Coco method. 
19 

20 Standard Decryption and or Dynamic Decryption and or Recursive Decryption and or Realtime Decryption, and or 

21 the Coco method maybeusedinanyPSOinany combination determined by the service provider. The service 

22 provider may always supply the required information to ensure any chosen encryption process may be reversed in 

23 one or multiple traget SPDs. The invention allows for any known method of encryption and or decryption to be used 

24 with any pan or all of the invention. 
25 

26 The etKaryption/decrypticm methods described pertain to communications between service provider and user. They 

27 are also applicable to the secure storage of information within a UCDPS, including the encryption and storage of 

28 various values in the UCDPS memory that are intermediate and or final results of processing. 
29 

30 Hie decryption and oar encryption processes described for the invention may interact in any way with external 

31 processes and the interaction may assist with said decryption and or said encryption. 
32 

33 The preferred security provided by an SPD is its function of decrypting and executing encrypted programs in secret 

34 and or decrypting and processing encrypted daia in secret. 
35 

36 The invention also allows for the decryption of information that is not securely processed. 
37 

38 The invention allows that the SPD may be programmed with one or multiple secure user functions and any method 

39 and apparatus may be used to sdea the cn^ system functions that perform this role are 
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1 refe re nc ed as system task switching functions and they allow that PSOs may be co-resident and cr multitasking and 

2 said multitasking may occur alongside programs that do not require the use of the invention. 
3 

4 The use of battery backed storage elements (and or other continuous functions, e.g. security pv^nppng CPU) 

5 require a continuous supply of power to the device in the absence of system power. The invention allows for any 

6 method and aparatus to achieve this including the integration of a battery into the device and or an external battery 

7 together with suitably monitoring and switching circuitry. An A/D converter may be include to detect changes to 

8 battery voltage for any reason. These are referenced as secure system power mgnggemem functions . 
9 

10 Tlieinvention as described permits: 

11 1) the secure transfer of encrypted information from an external source (including memory) using any method, to one 

12 or multiple secure locations within a system CPU and or ESPD t and then (and or during) 

13 2) the use of any suitable combination of microcode and or hardware and or secure internal software routines and or 

14 data (that may be augmented by any other software routines and or data in any location) securely decodes this 

15 encrypted information and or stores the decoded (and or remaining encrypted) information in a secure location 

16 (usually internal to the device, however it may include encrypted information stored in suitable external locations), 

17 and then (and or during) 

18 3) the processing of sufficient information from the encrypted and or decrypted information (and or any other 

19 internal and or external information that is accessible, directly ami or indirectly) to enable the secure and secret use 

20 of sufficient secret information that it is not practical to gain any useful benefit from any information that is in clear 

21 code and said clear code may be information that was never encrypted and or information that was encrypted and 

22 subsequently stored in unsecured locations, and 

23 if the only reversible functional limitation applied to a software object is that which needs to be reversed by a device 

24 as described for a secret processing device, permits the original software object to be used as intended, and may do 

25 this without revealing part or all of the native object code constituting the software object, conditional upon the 

26 appropriate information being included within the SPD. 
27 

28 10. Automatic Reporting Facility. 

29 A major application of the SPD as it applies to the secure distribution of software objects suitable for use on a 

30 UCDPS is to supply software objects that have been modified such that they must interact with the SPD on a 

31 frequent enough basis, that the SPD may use this interaction to record the usage of software objects, in a manner 

32 that directly and or indirectly equates to a monetary value. These modified software objects are one type of PSO as 

33 described in this application and to distinguish them from other types of PSO they are subclassified as Commercial 

34 Protected Software Objects or CPSO. A CPSO has some requirement for the exchange, directly or indirectly, of 

35 money for the use of the CPSO. Hie usage of CPSOs may be time and or events based and or any otto method. The 

36 preferred methods allow unlimited use of these CPSOs as long as certain criteria are complied with. 
37 

38 As the SPD preferably does not require its host UCDPS to be attached to any remote device that may exert some 

39 farm of control on the use of CPSOs and as in many instances CPSOs have no intrinsic limitation on their lifespans 
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1 and are readily available ai little or no cost, a method is required to limit the use of CPSOs such that payment is 

2 made. 
3 

4 The invention allows for the.use of CPSOs with an SPD to be controlled using any known method and apparatus 

5 and this is usually on the basis of one or multiple predefined limits decttonically transferred to the SPD that are 

6 suitably adjusted as CPSOs are used. When the predefined limits are exceeded (and or in any other way reached) the 

7 SPD preferably stops processing the CPSOs. 11w invention aUows that satt 

8 bas is; the preferred method is to require prepayment for uni ft . The invention does allow that there are no predefined 

9 limits on the use of CPSOs, however, this would usually only apply to major account customers and even they may 

10 prefer to have limits placed on what individual employees may spend. The SPD ensures that money is paid for use of 

11 CPSOs. 
12 

13 Ths preferred method of controlling usage of CPSOs that permit unrestricted use of the CPSO, on the basis that the 

14 SPD will record this use on any measureable units of use basis, is to prevent the SPD processing these CPSOs 

1 5 unless there is sufficient electronic credit within the SPD and or accessible to the SPD . This electronic credit may be 

16 stored in any form. The preferred method stores one or multiple values in the SPD. 
17 

18 11. An SPD may disable itself in part or whole when any requirements that are attached to the use of PSOs are not 

19 met. This includes when PSOs have been determined as being tampered with and or it is determined that an 

20 unauthorised parry is attempting to use software methods to «r wn p mn i t«ft the SFD and or that there is physical 

21 tampering with the SPD and or that various requirements for transferring information ycnw'ittrri by the SPD 

22 directly and or indirectly have not been met and or thai various electronic credits have been used and or that various 

23 keys required to activate one or multiple PSOs have not been supplied and or are incorrect and or any other reason. 
24 

25 12. An SPD that is disabled in pan or whole may be re-enabled in part or whole by any method including the supply 

26 of an appropriately configured and validated software object 
27 

28 13. Processing of Protected Software Objects by SPD: Using any suitable software routines that may be resident in 

29 the SFD and or require loading from any external sources and that may require assistance from any other SFD and or 

30 PSO and or external resources, the SPD responds to any suitable command generated by a software object 

31 requesting access to any one or multiple functions within the SFD by determining, at any appropriate stage, that a 

32 software object that has requested access to resources within the SFD is a software object that has been specially 

33 prepared to work in conjunction with the SFD and that it has not been tampered with. Such a software object said 

34 specially prepared is referred to as a PSO. A PSO is preferably encrypted, in pan or whole, using any known one or 

35 multiple encryption processes. A PSO preferably includes embedded error and or validity checking information and 

36 this may use any one or multiple known methods. The process of ensuring that a software object is a valid PSO 

37 preferably includes one or multiple error and validity checking processes and the decryption and or execution of 

38 parts of the software <>bject withintheSPD. 
39 
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1 If the object is not acceptable, the SFD may take any course of action including disabling part or all of the SPD, 

2 reporting an error to the user using any method, denying access with no report, and or any other action. An object 

3 may not be acceptable for any reason including mat the object was not created for use with an SPD or that changes 

4 within the software object have occurred. If the SFD receives a predetermined number and or types of errors it may 

5 decide that these errors are not legitimate and take any course of action to protect the security of the device. This may 

6 include granting no further access and or invalidation of part cr all of the secure information within the SFD. Hie 

7 conditions that determine this course of action may be dynamically modified by the supply of an appropriate PSO. 
8 

9 If it is detennined that the software object is a valid software object for use with the SFD, examination of any 

10 relevant part of the software object determines what action is required of the software object Said action may 

11 include performing further validity checking and or decryption and or any other actions as the PSO is processed in 

12 conjunction with the SPD. Protected software objects preferably include information that identifies the type of 

13 information that is included within the object, resources required of the SPD, information to assist validity and error 

14 checking of the information, irtformation to assist decryption of encrypted information and any other relevant 

15 informatiorL Said any other relevant information may be anything consistent with the resources of the SPD because 

16 one feature of the SPD is its capability of being securely updated to perform any software function consistent with 

17 the resources of the SPD. This updating may be dynamically performed by supplying the appropriate one or multiple 

18 PSOs prior to supplying die PSO that will use the dynamically modified functions. Said PSO that will use the 

1 9 dynamically modified functions may itself include in part or whole the information to said dynamically modify . 
20 

21 The following are the types of PSOs that an SPD suitable for use in the protection and distribution of software 

22 objects preferably includes, however, functions for one type of PSO may be combined in pan or whole with any 

23 other one or multiple PSO functions to create one or multiple muted function PSOs: 
24 

25 a) Secure System Update PSO: these may modify the secure system functions of the SPD using any method 

26 including data and or program instructions that are to be loaded to specific locations within secure system memory 

27 and or they may be programs and or data that is to be executed to perform one or multiple functions and or any other 

28 method. This type of PSO is preferably heavily encrypted with multiple checksums. When validated, required action 

29 is performed by the SPD . 
30 

31 b) Electronic Credit PSO: this adds values to one or multiple non-volatile storage locations within the SFD. Said 

32 locations are preferably clear (and or any other predetermined values) when the SPD is supplied to a user for the first 

33 time. Said non-volatile storage is preferably flash memory, described previously. Said values preferably equate to a 

34 number of uni ts of available credit for use with various CPSOs and or any other reason . Tbe use of these values may 

35 be for prepaid credits and these are stored in a location that is preferably decremented as available credit is used and 

36 or they may be for credits that are unpaid and are effectively a credit limit against use. Any method may be used to 

37 distinguish prepaid credits from unpaid credit 
38 

39 c) Report Verification PSO: this verifies that a particular report generated previously by the SPD has been received 

40 by the SPD. It is preferably specific to a particular SPD in that unique information within the SPD is required to 
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1 correctly validate and have it perform the required functions. It may perform any one or multiple functions, directly 

2 and or indirectly within the SPD. It usually resets any restrictions within the SPD that are awaiting receipt of the 

3 report verification PSO and may do this in any way. It also usually programs the relevant locations with a new 

4 reporting interval and or modifies in any way any part or all of the report generating and verification system. 
5 

6 d) CPO as previously described* 

7 

8 Preparation of a Protected Software Object: 

9 It is one object of the present invendon to provide a method and apparatus fat distributing a software object tan a 

10 producer to potential users such that a user may make as many legal and or illegal copies of tte software objects and 

11 distribute them as widely as they wish, however, any user executing the software object must remunerate the 

12 producer and or service provider of the software object, effectively elimm 

13 achieve this is to convert the original software object to a version that is modified to a PSO that is usually still 

14 capable of potentially running on many UCDPSs, however, those UCDPSs must be equipped with a Protected CPU, 

15 and for any particular PCPU that the PSO is to operate in conjunction with must meet the conditions of use Atta ch"* 

16 to the PSO. This may or may not require intervention by the user. In following description a reference to PCPU also 

17 applies to ESPDs. The preferred method allows the user unlimited use of PSOs contingent on them having sufficient 

18 electronic credit within and or securely accessible by the PCPU The conversion from a software object to a PSO 

19 preferably occurs in a secure location. 
20 

21 Object Support Kcrnatim 
22 

23 One step in the creation of a PSO is to take a software object from the producer referenced as the primary software 

24 object and create Object Support Informauon (or OSI) that provides certain mformaikm to assist the execution of the 

25 PSO. The actual creation of the OSI is usually a co-operative process between the producer and service provider, 

26 however, any operations that require the use of information within the secure system memory of a PCPU would 

27 usually be restricted to the service provider. The OSI is usually placed near the start of the program, however, it may 

28 be located anywhere throughout the program as long as it is arranged in a sequence acceptable to the PCPU that will 

29 process it, and or the PSO includes various information that may permanently and or temporarily modify the PCPU 

30 such that it can locate and use the OSL To protect the information in OSI from tampering, part or all may be 

31 encrypted, and or may have various check sums that are preferably secure and or encrypted themselves. The OSI 

32 may be provided in part or whole as a separate program(s) and or as part of one or more other programs and or may 

33 already be present in the PCPU and or any other method. If the OSI is within separate modules and contains 

34 information that the producer does not want deleted, there should be a suitably secure cross reference in the main 

35 part of the PSO to check for the presence of independent modules and valid data within. The preferred embodiment 

36 includes all information within the body of the primary software object one or multiple modules of the primary 

37 software object The actual method to encrypt and decrypt information may use any known method and any number 

38 of levels and any combination of methods. The OSI is a description of certain functions that may be required, and 

39 they may be implemented using any known method and structure. The ability to program the secure functions within 

Page 40 



SUBSTITUTE SHEET (RULE 26) 



WO 97/25675 PCT/AU97/00010 

1 the target PCPU enables any new structure to be created by supplying a suitable PSO compatible with existing 

2 structures. 
3 

4 the following is a TKm^dusivft li« of components that may be found in QSI; 
5 

6 Detection of Presence of a PCPU: this is usually executed immediately after the start of PSO execution. Should a 

7 PSO attempt to execute in an environment without a PCPU one or multiple adverse outcomes may result, for 

8 example the hard drive may be modified . 

9 The preferred embodiments of a PCPU allow access to the secure memory by the execution of various special 

10 instructions. As these instructions do not exist in a normal CPU, their execution in this environment may cause 

11 problems. The preferred method of ensuring that PSOs are only used in a UCDPS that has an appropriate PCPU 

12 are:- 
13 

14 Onnmoninstrucuon trigger a sequence of instruct^ to a PCPU and the CPU that it replaces are 

15 executed such that a certain combination triggers various events in the secure parts of the PCPU. The following 

16 example shows one alternative:- 

17 protected software loaded into memory 

18 execution commences at a particular location that executes three no operation (NOP) instructions in sequence, 

19 followed by a branch to the next instruction that may be the start of three more NOPs (any number, combination and 

20 permutation of suitable instructions may be used) 

21 the instruction following this is a branch to a routine to terminate execution of the program 

22 a CPU that is not a PCPU will execute these instructions and quickly terminate the program 

23 a PCPU will have the facility to recognise the particular sequence of instructions, this triggers internal routines to 

24 modify the data in the branch instruction and or redirects external execution to a particular location that enables 

25 cxmtinued processing of the PSO. 

26 This process is transparent to the operating system. 
27 

28 Oimlririr mi avnilflhility of reamcfis: 

29 If the PSO is to execute in a multitasking environment where multiple tasks are amcurrently executed on a time 

30 sttced basis, fc is possible that tte 

31 to execute a routine to determine the availability of PCPU resources and any relevant information thai the PSO 

32 requires to <»rnmunicate with those resources; this iirformation may be any son of Information including a reference 

33 task number, and or an address or block of addresses the PSO should use to c omrmmicate with the PCPU, for 

34 example thr uppt <w"1™a mid data ports 199 in Figure 4. and or the amount of internal PCPU memory available to 

35 the PSO and or any other information, TWs process may also involve the PSO providing the PCPU with certain 

36 irrformatioiL In the case of the PCPU described with reference to the drawings, this transfer of information would 

37 usuaUybeviathenomiiiate4addr^ 
38 

39 Should the PSO currently be unable to use the PCPU it can take any known course of action, the commonest of 

40 which may include entering a delay routine and trying again later, an efficient method is to call a routine designed 
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1 for this in the operating sytem, with or without a message displayed. A PCPU may have the facility to transparently 

2 override the operating system and a message may be displayed for the user to determine future action. Other actions 

3 may include program termination, with or without a message. 
4 

5 A PSO preferably checks various information currently resident within the secure system memory of the PCPU f<r 

6 the presence of certain functions within the system memory and that they are a version suitable for use by the PSO. 

7 This UusuaUy confirmed^ 

8 particular PSO, however, it may use any method Should certain functions not be current, the invention allows that a 

9 PSO may be shipped with certain update information included as part of the PSO and or with other PSOs shipped 

10 with the PSO, and that a PSO may automatically and or at the users direction, update the system memory functions 

11 to current information and may suitably adjust the version number, and that this may be a temporary modification 

12 fear the duration of execution of the PSO and or a semi-permanent and or permanent change. Should the system 

13 functions not be able to be updated for any reason, the PSO would usually terminate with a request for the user to 

14 arrange for the necessary changes to system functions, however, it may take any other action. 
15 

16 Conditions of Ilm: 
17 

18 As PSOs may need to identify to the PCPU the producer of the PSO (e.g. to log usage and allocate payments), a 

19 unique vendor identity code may be included in the PSO in a position and or any other way that can be determined 

20 by the PCPU. This code is usually consistent cm each product from the producer. The invention allows for this 

21 method or any other to differentiate PSOs that are primarily commercial objects from those that provide various 

22 support functions. 
23 

24 To differentiate a particular program from others by the same producer a unique program identity code (UPID) is 

25 usually included in the PSO in a known location and or any other way that can be determined by the PCPU. This 

26 may be unique amongst products from the same producer, however, it may be identical to another product by 

27 another producer . This code may be further used to categoris e a particular piograu i e.g . part of the code may identify 

28 the program as a game or a wordprocessor, et&, and this would usually be common across all UPIDs, another part 

29 may identify the version number and the balance may be used to ensure that the UPID is unique to any others from 

30 that producer. Any other relevant information may also be included in the code. The invention allows that die 

31 various sub-parts of information included in this code may in part or whole be allocated their own codes. 
32 

33 The invention allows that the billing for the use of a PSO may use information included within the PSO. Any of the 

34 following information may be located where the PCPU and or any other applicable devices or routines can identify 

35 it: 
36 

37 Currency I de ntifier - this indicates the currency in which the producer of the PSO is to be paid. It is mainly used by 

38 the service provider, however, it may be used fa any reason. 
39 
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1 Personal User Device Valid * this indicates wbeiher this PSO may be used with a Personal Software Card. This is a 

2 device described in another application that lets the users of one UCDPS temporarily or permanently port various 

3 access and billing to another UCDPS. 
4 

5 Timed B asic Charge (or TBC) - is the unit rate for use of the product The pref erred rate is by the hour, however, any 

6 time interval may be used.lt is anticipated that users will ultimately determine the type of billing they want, and it 

7 will probably be based on a time used basis associated with certain frequency discounts and possibly a cut off point 

8 at which there are no additional charges. The charge rate is usually in terms of a standard unit - far example it may 

9 be US Dollars. Whatever standard rate is chosen is usually standardised across PSOs. The invention allows that any 

10 amount in any currency may be used. The invention also allows that the TBC for various countries may be different, 

11 for example to allow for differem economic conditions. Any particular PSO may include die entire set of TBCs for 

12 all countries or only a subset The TBC may not be available to all regionals. The invention allows that a discount 

13 schedule may apply to the TBC for increasing use or whatever reason, and that this may vary from one region to 

14 another, and this discount schedule may be stored in the PSO. Further discounting may apply for different types of 

15 users, e.g. government, education, business and part or all of this information may be stored in a PSO. Various 

16 vendors may wish to offer various discounts for existing customers when an updated version of their product is 

17 released and or when a new product is released and these may be stored in a PSO. 
18 

19 The PSO usually includes one or multiple transaction processing codes to indicate the type of billing system used. 

20 This may vary from region to region and each PSO may have a list thm includes transaction p 

21 countries or any subset For any particular country, there may be different codes for different groups eg, government 

22 users may be billed using a different method to business, and the combinations used may vary from one region to 

23 another. 

24 While not an exclusive list tiw following are the more common types of transaction processing codes:- 



25 a) The PSO may be distributed at nominal cost with the customer paying to time used. 

26 b) The PSO may be distributed at nominal cost with the customer paying for time used, however, a data 

27 key (at no cost) is required to activate the program. 

28 c) The PSO may be distributed at nominal cost with the customer paying for time used, however, a data 

29 key is required to activate the program and there is a charge for the key, this charge may be located in 

30 the relevant fixed basic charge field. 

31 d) The PSO may be distributed at nominal cost however, a data key is required to activaie the program 

32 and there is a charge to the key, however, there are no continuing charges. 

33 e) The PSO is only supplied on receipt of payment with additional charges to time used. A key may be 

34 required to activate the program. 

35 f) The PSO is only supplied on receipt of payment, however, there are no additional charge. 
36 

37 The PSO may be one that is generic to multiple P(^ 
38 



39 Event Basic Charge (or EBQ - the invention allows that usage of software may be based on the number of times the 

40 program is opened and or any other event based mechamm The Event Based Oiai^e is the unit for this method 
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1 of billing. All of the options and or discounts and or requirements described for TBC above apply for Event Based 

2 Charge and will not be repeated, however, the various combinations and particular options used may vary from the 

3 TBC in any way. 
4 

5 Fixed Basic Charge (or FBQ - this is a fixed charge to use the software and may be a one off charge that 

6 subsequently permits unlimited access on that UCDPS or a charge that grants access and then bills on a usage basis 

7 using any combination of the previous methods. All of the options and or discounts and or requirements described 

8 for TBC above may be applicable for Fixed Basic Charges, however, the various combinations and particular 

9 options used may vary from TBC in any way. 
10 

1 1 Transaction processing codes may be constructed to detail any combination of billing processes and discounts and 

12 anything else. y 
13 

14 The ability to distribute software in massive quantities with very iow upfront costs to the user may provide 

15 significant changes to the methods of marketing and advertising software products. One method may be to permit 

16 the user free or discounted access to various products, particularly new products. This may include various 

17 promotional schedule codes (PSQ within the PSO, that may be designed to achieve any outcome that is permitted 

18 by the PCPU, that the PSO executes on, and this may include codes representing anything to do with promoting any 

19 sort of product using any known method, including:- 

20 • a list of discounts and the time they apply may be included within the PSO, and they may be multiple. The 

2 1 discounts may be any value, and may result in free software for variable periods of time . The facility even exists 

22 for a producer to pay a user to try their product Particular promotions may have a use by date attached to them. 

23 • Another approach may be to generate a random number in the PCPU each tune a program is initiated or on any 

24 other basis. If this matches a code in the PSO, then various free program time may be provided on the current 

25 PSO and or another program by the producer and or various prizes may be given away. 

26 • The software may also be made available to a potential user with part of its functions disabled, and no charge or 

27 a nominal charge applied to the use of this partially disabled program. This may be particularly useful for 

28 programs that may take time to assess, for example a new accounting program, where a potential customer may 

29 want to fully assess the package prior to committing to a changeover from an existing system. The activation to 

30 a fully operational system may require a key (that may or may not have a charge) or simply require the user to 

31 execute a program that initiates time and or event based billing, or any other method. 
32 

33 The information to perform any promotional function may be included in part or whole within the PSO, however, it 

34 would usually rely in part or whole on secret processes within the PCPU to prevent unauthorised manipulation of the 

35 promotions. 
36 

37 Certain software products may be unsuitable for use by particular groups. For example, certain countries may be 

38 restricted from using software because of security concerns and or because it may offend certain cultures and or 

39 other software may be unsuitable for children and or it may be restricted to certain professions and or it may be 
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1 restricted to use a: certain limes and or for any other reason. These are referenced as Group Restriction Codes (ORC) 

2 and may be inclu d e d In a particular PSO to limit access to various categories of user. 
3 

4 Any information included in a particular OSI may become obsolete and this may be a particular problem with prices 

5 and Discounts. Any information contained in a OSI may be replaced in part or whole with other more readily 

6 updated information stored in any suitable location; this may include locations within the PCPU, and or various files 

7 stored on one or multiple mass storage devices, and or distributed with other PSOs, awl a distributed as part of 

8 coles supplied to usen to in^^ AH of this may be 

9 subject to the overall control of the service provider who can vary the actual amount charged to any particular user. 
10 The billing process is described later in this application. 

11 

12 Part or all of the information within the OSI is usually reliant on known information within the secure system 

13 memory ofthePCPU to correctly iriterpret and or execute 

14 memory may be reprogrammed by suitably encrypted external information, part or all of which may be included 

15 within the PSO, the specific requirements of a particular PSO may be met by dynamically modifying part or all of 

16 the secure system rnemory. Additional flexibility may be gained by loading any required part of the PSO into secure 

1 7 user rnemory for execution. Although various functions have been detailed for the OSI, in practice a multiplicity of 

18 special functions may be included and these may occur during any part of the execution of the PSO. 
19 

20 Method mmwtom the PCTTI- 

21 Another step in the preparation of a PSO may be to include in the PSO various routines and data that will execute 

22 automatically and or under user control to update various information on the UCDPS for any reason and may 

23 include:* 

24 • update the secure system memory 

25 • update various files stored on a UCDPS that contain various billmg itf orrnatira and » 

26 promotions and or any other information. 

27 These update functions may be included as part of the actual PSO and or as pan of one or more other PSOs. These 

28 other PSOs may be created specifically for the purpose and or may be parts of other PSO applications. These other 

29 PSOs may be supplied to the user with the said actual PSO and or may be supplied separately. 
30 

31 Error and Validity QreHng; 

32 A PSO, and the PCPU with which it is to operate, are provided with a number of secure rnechanisms to protect 

33 against unauthorised analysis of information stored within. As there may be considerable financial gain to any party 

34 that manages to compromise the security of either, It is anticipated that a number of attempts will be ™pH» to 

35 compromise the security of both, and one method may be aimed at changing various parts of the PSO in an attempt 

36 to analyse the various outcomes. In order to protect against this and also to detect genuine errors in the PSO, it is 

37 usual to use one or more error and or validity checking processes on information within the PSO, and these may use 

38 any known method and apparatus, and these may be dependent in part or whole on functions within the PCPU, that 

39 may include:- 

40 • routines within system memory, and or 
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1 • various algorithms implemented in hardware within the PCPU, and or 

2 . routines loaded fern external sources (usually, in part or whole, in encrypted format), and or 

3 • loaded from the PSO (usually, in part or whole, in encrypted format), and or 

4 • any other source. 

5 The error checking and validity checking is a process that usually occurs in total secrecy at both ends, with the 

6 service rxovider the cony parry th« knows to The servte prouder is aware the prc^ 

7 any particular PCPU to extract and validate any parity information and or CRC mformation and or any other 

8 bfamanon, and the method used to take the actual cato of the PSO and gen^ 

9 and CRC infennatkm and any other information, and the methods to determine whether or not the expected 

10 tafwniationrnatchestheexm^ The service provider can take a PSO at any stage or stages in die 

11 COTrvcrsicnrjroc^frcfli software 

12 niarmerthm the c«tcome when ran ttero 

13 errors. Should one or multiple pans of the PSO be changed by an unauthorised party, then the error and or validity 

14 checking process in the PCPU will detect the modifications and may take any known action, including those actions 

15 described later. If the service P^ta prepares a PSO for era and 

16 F^prepiogTamn»ri^ 

17 towever, if tr» service provider fo^ 

18 mayi^tobeincliicWwUhintheP^ 

19 ir^.Aspm OT aucfthePSOwiUusuauytew there is i» practical way for an external 

20 analysis of the PSO to even hint at which apparently meaningless data is pan of error/validity checking and which is 

21 encrypted informaticm. Furthermore, the aior/validity checking information may itself be encrypted Furthermore 

22 the system usually only needs to work m c»e direction - r^fe » 

23 included within the PCPU to generate error and or validity checks on information that is to be stored in encrypted 

24 format in external resources (these are discussed m rncre detail in the applications dealing with these devices). Any 

25 mmibercf error detection aiid validity t± 

26 <* the encryptitm process. Tneinventi^ 

27 all of the PSO with the actual method to reverse this included within the PSO, and as long as part or all of the 

28 method to reverse is encrypted and the reversal process occurs in secrecy, there is no means of reverse engineering 

29 ttepioeess. and the actual metlwds and w 
30 

31 Enavrnirm of the infhmwtiim to create the P rotected Snftwrj. Q hjmi; 

32 11* ^ «ep tatlie create! cf a PSO is to 

33 with any additional mformation as previously discussed to a protected program that provides the security against 

34 illegal use of the program. By encrypting the PSO using any known encryption method and any combination of 

35 known encryption niethods, indudtag the processes d 

36 that mpmw whole may only teexecii^ 

37 (EcarrformuWplelevelsofconiplexiry.Tte 

38 eru^c^ what method or method 

39 to support these methods. The actual arrangement of faformation within any pan of the PSO to effect various 
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1 outcomes will be highly variable with the exception of certain functions fixed by a particular PCPU, and as the 

2 present invention allows for the provider supplied PSO to be flexible and the functions within a particular PCPU to 

3 be programmed in a mu l tip l ic ity of ways, the various combinations and permutations to achieve the «™ outcome 

4 are obvious, once the specific requirements and one method of achieving this are described. 
5 

6 Oedidng funds into a PTFTT (and or other PTPtTV 

7 The present invention allows that a part of the secure system memory of a PCPU may be securely programmed with 

8 information that in d ic a t es an amount of credit (using any method and or currency) that may be agnmct 

9 software usage (and or any other applicable uses). Various secure locations within the PCPU within a particular 

10 UCDPS may contain codes that are unique to that particular PCPU and these codes are usually secret A particular 

11 PCPU usually has a publicly accessible electronic signature that can be used to identify a particular UCDPS. A 

12 particular PCPU may also have other characteristics that are unique to a particular PCPU, for example, particular 

13 software routines and or encryp tion/deoyption processes and or any other applicable variation, B ecause of the secure 

14 nature of information contained within a PCPU, it is preferable that conversion of a software object into a PSO is 

15 performed by a service provider, and that the actual information within PCPUs is maintained in a secure 

16 enviramnent. When a UCDPS is initially shipped to a customer, it is likely that the PCPU has no credit value 

17 programmed within and may not be activated to execute PSOs. The process of activating a parti ng prpi T may ^ 

1 8 accomplished by any method and apparatus, including: 

19 1) The user contacts a service provider (using any method, the most convenient usually being via a modem) and 

20 supplies the service provider with the serial number of the PCPU, the amount of credit required, and payment details 

21 (that is preferably a credit card payment) that may use any known method. 

22 2) Using known details about various information within that particular PCPU, the service provider uses the 

23 requested amount of credit and encrypts this amount using any known method and apparatus (and an experienced 

24 person should be able to devise multiple techniques based on the enaction/decryption processes described earlier). 

25 The encryption process that may use any information (including time and or date and or any other unique and cr 

26 global information within the PCPU and or that may be securely transferred to the PCPU, using any known method 

27 including those described in this application) to generates a one time code that may be decrypted within the PCPU. 

28 3) The one time code is transferred to the user of the PCPU and entered into the computer. The code is decrypted. If 

29 an error is generated, die user may be advised Once the amount is confirmed the nominated credit is programmed 

30 into any appropriate secure non-volatile location internal to the PTPiT that rxmat mmpemH qrfft, 

31 4) This process may activate the PCPU if required, however, the preferred determinant as to whether or not a 

32 particular PCPU will execute one or multiple PSOs is based on the amount of available credit 

33 5) The available credit is progressively decremented as various PSOs are used, and the present invention allows f<r 

34 any method and apparatus for billing for PSO use. 

35 6) Software usage of various software objects may be logged. This is described later. 

36 7) When the credit amount is decremented to a predetermined amount (and said predetermined may be by the 

37 service provider and or die user) the user is advised that additional credit will be required shortly. The method of 

38 advising the user of an i mnit i rcui t shortage of credit may use any method and or apparatus, however, i> y> pmg i mu g 

39 that impl e m e nt this process are preferably executing in part or whole from within secure memory internal to the 

40 PCPU, the facility exists to generate an internal interrupt and jump to an appropri ate internal and or external 
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1 program. This may occur at any time, with the most usual being shortly after a system reset. The process may be 

2 transparent to the operating system. The facility exists, using a similar process (and or any other method and or 

3 apparatus) for the user to generate a currm 

4 8)Fbrthese«>wlandsnbsequmca^^ 

5 addition to providing the service provider with the electronic signature of their PCPU, the user will usually be 

6 required to advise the service provider of a code (that is securely generated within the PCPU using any known 

7 method and apparatus within the PCPU) that may include current mfcraiation on rernaining credit (that may be 

8 zero) arid nay induce irfcmatm 

9 9) Step 2 is repeated, however, in addition to credit information, the code supplied to the user usually contains an 

10 encrypted message that informs one or multiple routines within the PCPU that irrformation pertaining to software 

11 object use has been received by the service provider. Storage locations allocated to this information may then be 

12 cleared. 
13 

14 Tbepresoit invention aUowsilmaltl^ 

15 also compatible wim the provision of credit within the PCPU on account terms with selected users, and the credit 

16 allocated wouM^ 

17 bill me user may be calculated by subtracting the amount of credit remaining from the amount supplied in the 

18 previous period and or any other method and apparatus. 
19 

20 A user friendly menu system may be used to assist pan or all of the process described above . 
21 

22 Monitoring the use of pmt^^d software fthfotg- 

23 The present invention allows for any known method and apparatus that can xnonitor and or record the usage ctf 

24 PSOs (and or software objects), and preferably one that is compatible with multitasking programs in a single 

25 processor and or multiprocessor environment, and preferably one that provides a tamperproof, secure system that 

26 operates in pan or whole from within a PCPU and or any other SPD, when the UCDPS is an independent entity, and 

27 or when independent and connected to a network and or when independent and connected to Internet or similar, far 

28 ittconw functioning, and 

29 dependent ra pm or whote on connection to the Internet (or similar). In a single task UCDPS the SPD usualy starts 

30 recording usage when activated and tenninates when the PSO finishes. The preferred method in a multitasking 

31 environment where usage is timed is to generate an internal interrupt within secure microprocessor on a periodic 

32 basis, and said interrupt activates a routro withm intern^ 

33 counter of the system microproc^^ 

34 thePSOtodetennineswhto aUows for arr/ omibmarion 

35 and or permutation and or weighting for usage of any anew 

36 ocumawsoftherneasunri The usage of PSOs is usually recorded in part 

37 or wholewithin secure internal merray, however^ 

38 of PSOs may be encrypted and stored external to the PCPU and or UCDPS. It is preferable to keep sufficient 

39 lnf<raiationonPSOu»^ 

40 the event that external storage of this iirformaiion is corrupted, in which case while mere may be no detailed 
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1 breakdown of transactions, the vendor is conectly remunerated The aforementioned processes are transparent to the 

2 operating system. An alternative non transparent method is to have the op er ati ng system perform various routines 

3 during task switching that may activate various processes within the secure internal memory to record details about 

4 program execution, Information on program usage is usually nmimqtiwH in secure non-volatile storage locations 

5 internal to the SPD. The invention allows that a report on software usage may be prepared (usually in encrypted 

6 farm, using any method and apparatus) for transmission to a service provider and or any other authorised party on a 

7 periodic basis, that may be any period and may be fixed and or variable; this report is usually generated by secure 

8 routines within one or more FCPUs from information that may be internal and or external to the PCPU. 
9 

10 Controlling execution (and or any other nrocessing^ of rjmtected software objects; 

1 1 One objective of the invention is to provide a method and apparatus that may be used to protect software objects in a 

12 manner that does not restrict the copying of the PSO and mat in the preferred scenario, would provide at ™miw fl i 

13 cost* a copy of that particular software obj ea to any user of a UCDPS requiring it An optimal situation would be the 

14 collation of all PSOs suitable for use with a particular type of UCDPS onto a collection of CD ROMs that may be 

15 supplied to users at nominal cost Update CD ROMs may be made available on a periodic basis. Hie invention 

16 allows for PSOs to be supplied on any medium and this may include access to a database of PSOs via the Mn r ri 

17 The capacity of a SPD to decrypt externally supplied information in a secure m*m*r that may include realtime 

18 decryption and decryption using software routines within internal secure memory (that may be supported by 

19 hardware decryption engines) together with the method and apparatus to securely encrypt information for transfer to 

20 a service provider (or any other ar^jropriate external party), provides a secure and flexible environment for restricting 

21 the use of a PSO using multiple methods and the invention allows for all of these. A: some point in the processing of 

22 a PSO, and usually at the romniencement, the SPD may requires certain information from the PSO of relevance to 

23 determining the type of protection system applied to the PSO v for example, certain data (or any other method) may 

24 be extracted from the PSO to inform the SPD that this particular PSO may be executed on a time used basis and 

25 whether or not this is linked to the availability of credit within the SPD. Information on the vendor and or the 

26 product code of the PSO and usually the amount to charge for a unit of execution time may then be required (and 

27 this information may be required tor any other protection systems). One source of this information is the PSO itself 

28 and this information may be extracted by the SPD. using any method and apparatus. Ihe usual process extracts 

29 (using any method and apparatus) the vento and produa code rrome^ 

30 secure memory internal to the SPD. The cost of executing (and or any other processing) the PSO on a time and or 

31 event basis and or any other basis is extneted from the PSO where ap 

32 right to execute a particular program, the SPD grants a generic right to execute as long as certain internal and or 

33 external generic codes match the requirements of one or multiple PSOs. The invention allows that information 

34 contained within a PSO may not be current as regards execution costs (and or any other mformation) and provides 

35 for any method and apparatus to epmpensate for this, with the preferred method being the provision of one or 
3 6 multiple files located on a suitable mass storage device attached directly and or indirectly to the UCDPS, with said 

37 files referenced in this document as Current Data Files (or CDF). CDF may be updated as required using any 

38 method and apparatus (ir^^ PSOs). A current 

39 data file may contain any mformation, and may replace part at least of that within a PSO, however, it will usually 

40 include details of the costs associated with executing PSOs (that may be all, or a subset of, the available PSOs), and 

Page 49 



SUBSTITUTE SHEET (RULE 26) 



1 



WO 97/25675 PCT/AU97/00010 

1 this may include infarmaiion on discounts for frequency and or quantity and or special groups and or special 

2 promotions and or any other information. A CDF may have a creation date and or me or multiple blocks rf 

3 information pertaining to one or multiple PSOs may include the date (or any other method and apparatus to effect 

4 an equivalent result) said information pertaining, became valid. When a PSQ is crcsu^ th* rf»tf <>f nation (and <r 

5 any other method and apparatus to effect an equivalent result) is usually nxluded within the PSO and when a PSO 

6 is processed, the date within the PSO may be compared to thai within the CDF Of present), with the more recent 

7 information preferably used. The information within a CDF is preferably encrypted and this may be for any reason, 

8 including protection against tampering with the information. Various validity checks may be performed when 

9 information within a CDF is loaded and or used (this may be for any reason including detecting m^urwrisftd 

10 alterations to the information)- When an SPD generates a report for the service provider (or any other authorised 

11 party) it may include information on the currency of information within a particular CDF, and or the absence of a 

12 CDF* and or the creation dates of the PSOs executed. It may be that a user knows that access to by 

13 the SPD may result in increased costs to the user than would be incurred, by referencing the billing information in 

14 the actual PSO, and said user may be reluctant to update their current CDF and or may delete the CDF (the 

15 invention allows that the presence of at least one CDF is required). The invention allows for any method and 

16 apparatus that may be used to circumvent this potential problem, including the service provider adjusting billing io 

17 reflect current charges (or any other reason). 
18 

19 The preferred protection system is applicable to PSOs that are permitted to operate within a UCDPS on an 

20 unrestricted basis, as long as certain criteria are met: 

21 • the PCPU and or any other PCPU has sufficient credit progr amm ed into the device (using any method and 

22 apparatus) to cover the oosts incurred by the user in executing the PSO, and or 

23 • the use of each PSO is logged and this may be time based and or event based and or any other method and 

24 apparatus that requires periodic reports on software use and or any other information to be provided to an 

25 appropriate external party. 

27 The invention allows that PSOs may be used on a time and or events basis and that this may require the availability 

28 of aedit within the SPD and or may not require the availability of said credit, in which case the user would usually 

29 be billed fir use of software after providing a periodic report to the service provider. As the PSO is used, the 

30 appropriate units of usage (that may be time and or monetary and or any other token) are progressively adjusted 

31 against a particular vendor/product code (and or any other method). When available credit is progressively utilised 

32 in association with the use of one or multiple PSOs, the amount of available credit to tr* user is decremented 

33 credit units within a SPD may represent any token and or currency, using any method. The invention allows for any 

34 method and apparatus to secureley store this information and this may be internal and or external to the SPD. A 

35 number of method steps were described earlier for transferring credit to a particular SPD, and a similar method is 

36 used for supplying a service provider with information about PSO usage, and for the service provider to inform the 

37 SPD that this information has been received, and that farther use of PSOs may continue, however any other method 

38 and apparatus is allowed for. Ftar PSOs that Tequiro the aarattahflltY of credit within tte SPD fa ttrn m^ gyfrmton, 

39 a user may be required to provide a report when available credit within the SPD Is zero and or some other 

40 predetermined amount and or the user may be required to report information to the service provider cm a periodic 
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1 basis, and said periodic basis may be any period and it may be varied by the service provider, and or the user may be 

2 required to report to the service provider when a certain number of events have occurred, that may be any 

3 combination of events, including the number of times one or multiple PSOs have been used, and or a user may be 

4 required to provide a report to any authorised party for any reason; those PSOs that do not require the presence of 

5 available credit within the SPD may share any of the reporting lequirements discussed, however, they usually are 

6 independent as to the state of credit within the SPD. m practice amixof methods may be used and a periodic report 

7 may be required. When a report is required on a periodic basis, a secure battery backed realtime dock/calendar is 

8 the preferred source of determining (in conjunction with rxedeterrnined and or otherwise information on the time 

9 intervals to be used) when the relevant time interval has occurred. When available credit expires and or a certain 

10 date and or time is reached and or a certain number of events and or type of events have occurred, part or all of the 

11 functions of the SPD may be disabled 

12 Whatever the trigger point for requiring the user to supply the service provider with a report generated by secure 

13 methods within and or in conjunction with the SPD, the method steps to supply said report and to reactivate the SPD 

14 for further use may use any method and apparatus, including: 

15 1) When the SPD aetennines that internal and or external information is due for reporting to a service provider, any 

16 method may be used to alert the user, and one preferred method uses the ability of the PCPU to call routines 

17 transparently to the operating system by having the secure nricnrarocessor DMA taformation to display memory and 

18 this facility may be used to overlay a message on the display device of the UCDPS advising them to execute a 

19 program thai will generate a report and this is preferably at the start of a processing session. 

20 2) The report generator is executed and this may display a menu based system to assist the user through the process. 

21 If information is to be transmitted to the service provider via a modem and any return information received by the 

22 same method then the process may be fully automated and transparent to the user. The invention allows for any 

23 method and apparatus that assists the user wim the process. The re^ 

24 SPD that collate and encrypt the information to be supplied to the service provider, with the mformation usually 

25 including one or multiple unique identity codes for a particular SPD, and this may and or may not be encrypted The 

26 report would usually be integrated with any information to be supplied to a service provider as regards credit 

27 remaining within a SFD. 

28 3) The user contacts a service provider (using any method, the most convenient usually being via a modem) and 

29 supplies the service provider with the mformation generated by the report generator. As mentioned, if using a 

30 modem this process may have minimal user intervention. If a modem is not available the information may be sent by 

31 any method, including as a file on a diskette and or the information may be read over a telephone (this may be verbal 

32 or use to numeric pad) and or any ou^metr^ 

33 4) On receipt of the iMormation the service provider determines the dectronic signature of the SPD generating the 

34 report and using known details about various taformation within that particular SPD decrypts the report and 

35 confirms that it has not been tampered with. 

36 5) Any method may be used to collect payment for any amounts payable as a result of use of software objects and or 

37 any other reason. 

38 6) The service provider prepares a one time code using any method and apparatus that may be correctly interpreted 

39 by the target SPD and is usually specific to a particular SPD. 
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1 7) The one tmie code is transfer^ 

2 error is gener at ed the user may be advised. The purpose of this information is usually to advise routines within the 

3 SPD that a correctly encoded report was received by the service provider and that further use of PSOs may proceed. 

4 Other inforaiaticn, eg. credit may be included with said one time code. The normal process preferably provides a 

5 report and ensure continued use of PSOs prior to the expiry dale of to amxmperkxl. 
6 

7 With the exception of the periodic updating of internal credits and the reporting of software usage the method and 

8 arjparatus of sofrware rjrotec^ and distribution may be transparent to the user. As long as payments are made as 

9 required the user would treat a PSOas they would any presently available software object 

[0 

1 The invention allows mat a user may purchase a parted 

2 apparatus, including debiting the awt of the PSO from any available internal credit and settting a code such that 
13 there is no further billing for use of this PSO, one method allows for a file to be kept on a suitable mass storage 

4 device attached directly and or indirecUy to me UC^^ 

5 usually in erraypted format (in part or whole), a vendor code and product axle and a code that is unique to a 

6 paniculrar PCPU for that particular product. Said code is usually created when payment is made and this may be 

7 automatic when there is available credit in the PCPU and or may be supplied by the service provider on receipt rf 

8 payment and or any other method. When a PSO is loaded for execution, routines within the PCPU may access this 
file and (fetermine whether or not a particular PSO that is normally charged on any type of usage basis, is exempt 

20 from this process. Oik alternative is 
21 

22 A variation on the method and apparatus described earlier allows for a certain group of programs to be used on an 

23 unlimited basis for a period of time, for one fixed charge. This may apply to computer games for example that may 

24 be used for $X per month, where X may be any amo unt , A periodic report is required to aetermine usage of the 

25 different games in order to appropriately pay the vendors of those games. The actual pro rata allocation to various 

26 vendors may be made by the service provider using any agreed formular. This may use a special code within the 

27 PSO and or the CDF and or the EPF and or any other method. The invention allows that multiple software object 

28 groupings may use this variation and the amount charged for one grouping may be the same and or different to other 

29 groupings. 
30 

31 The invention allows that part or all of the processes that require the user to supply one or multiple codes to activate 

32 part or all of the invention for any reason, may use any method and apparatus to prevent attempts at creating said 

33 codes by trial and error and or any other method, with the r*eferred said method and apparatus to prevent, being a 

34 routine(s) within secure internal memory that log in non-volatile storage invalid attempts at entering codes and pan 

35 or all erf this information may be stored in one or multiple external files, that may be directly and or indirectly 

36 attached to the UCDPS. The invention allows for any action to be taken mchidmg, disabling the PSO and cr 

37 multiple PSOs and or the PCPU and or all processing capability, and this may be done using any method and 

38 apparatus, 
39 
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1 The invention allows that a user who has purchased in pan or whole one or multiple PSOs and or earned frequency 

2 discounts an one or multiple PSOs and or any other reason, may wish to port these to another SPD for any reason, 

3 including that the user has 

4 in one or multiple PSOs to another user. The invention also allows that one or multiple PSOs may not offer this 

5 facility. The invention allows that there are multiple known methods and apparatus for achieving thk inrii.Hing ^ 

6 preferred opdon thai may involve the following method steps: 

7 1) the user activates a program to reverse various capabilities granted to a particular SPD, for example activation 

8 codes and or discount schedules. This would usually initiate a menu type screen on the display device, using the 

9 method previously described, of the UCDPS to assist the process. 

10 2) the user noniinates those PSOs tn^ §PD. 

11 3) the program may change various internal locations and may change various external locations such that existing 

12 rights are no longer valid on the SPD. 

13 4) encrypted information is supplied to the service provider indicating that various access rights to one or multiple 

14 PSOs have been modified, and the encrypted infonnation (using any method and apparatus) is decrypted and 

15 verified for validity, using any method and or apparatus. 

16 5) the user usually informs the service provider of the new SPD that various access rights are to be transferred to. 

17 This may be multiple SPDs. 

18 6) any codes and or discounts and or new versions of encrypted PSOs are prepared for the nmnmated PSOs and 

19 supplied accordingly. 
20 

21 User password; 

22 Certain infonnation is preprogrammed into the PCPU prior to being made available to a user and some of this may 

23 restrict the user of that particular PCPU from various functions available within the PCPU and or available in 

24 various information supplied by a service provider. An example may to restrict users of a particular country from 

25 various services. The invention allows that some of these restrictions may be reprogrammable with information 

26 supplied by the service provider while other information may be fixed A user of a UCDPS equipped with a PCPU 

27 may have various restrictions that they want placed en the use of the PCPU and these would normally be 

28 programmable by the user, and these may included any approved functions, using any known method. A user may 

29 want a master password for themselves and this would usually be stored within non-volatile storage elements of 

30 system memory, and the correct entry of this may be required to activate the PCPU (in the case of a PCPU the CPUs 

31 within may be disabled). Additional passwords may also be required thai allow limited access to the PCPU, for 

32 example, certain passwords may be attached to children to prevent them from using unsuitable software, or certain 

33 employees may prevented from playing games on their computers during business hours. Certain functions may 

34 also be attached to various passwords, e.g. to monitor usage. 
35 

36 Any program and or data that is preprogimnmed into a PCPU may in pan or whole be the same as those within 

37 other PCPUs and or may in part or whole be unique to other PCPUs. Any program that is currently within secure 

38 memory may call on any currently external programs and or data and or apparatus to assist the functions of said any 

39 program. 
40 
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1 Protection of other forma nfmfnrm^. 

2 The present invention also allows for the inclusion of part or all of the method and apparatus described in this 

3 application when used in conjunction (in any maimer) with any secure apparatus (that may be one ox multiple 

4 devices) for use in: 

5 the secure oecodmg of encrypced (in part or whole) video mformanon and or any other encrypted (in pan or whole) 

6 visual irformatton, and or the secure generation of the necessary signals to display the decoded mfbrmarion on a 

7 suitable visual output device, wim said necessary signal 

8 visual output device and or 

9 the secure dea)0^ of encrypted 

0 mformanon of the necessary signals to drive a loudspeaker (and or equivalent), with said necessary signals 

1 preferably constrained within said loudspeaker (or equivalent) and or 

2 the secure decoding of encrypted (m pm or whole) text w 

3 (and or any other printed matter of commercial value that is published in electronic form) and the secure generation 
14 of the necessary signals to display the decoded informanon on a suitable visual output device; 

this particularly applies when said secure apparatus securely monitors and or logs (directly and or indirectly) the use 

16 of the encrypted informaticm as it is decoded and used w^ 

that includes (directly and or indirectly) one or multiple methods and apparatus to ensure payment is made fox said 

8 use. 

Any combination of software and or hardware and or microcode may be used to implement the method and 

20 apparatus, with the preferred method and apparatus; 

21 retrieving pricing information from the encrypted mformation; and or 

22 timing the use (and or conning the tendency of use) of saMenc^^ 

23 storing this within the secure apparatus (that may include secure locations external to the secure apparatus) in non- 
24 volatile storage elements; and or 

25 debiting an amount of electronic funds previously embedded within the secure apparatus; and or 

26 recording an amount to charge at a future fote; and or 

27 generating a report of usage (preferably with a breakdown for each vendor and or product) that is supplied to the 

28 informanon provider (and or agent); and or a 

29 system to ensure that said report of usage has been received by the relevant parties; and or 

30 that inay disable pm or aU of Its limits are 

31 exceeded and or a report is not provided to the relevant parties and or that periodic informauon is not received kn 

32 said relevant parties; and or 

33 that may be updated wim addition^ ^ 

34 encrypted information may be supplied on any machine readable physical media (e.g. CDROM or videodisc) and or 

35 broadcast using any method. 
36 

37 When an external PSO requires to access the SPD, the normal process is to: 

38 a) block interrupts if required and write a command to the system command input pen requesting use of the SPD. 

39 b) the process of writing to the port preferably generates an interrupt so there is a rapid response from the secure 

40 microprocessor^ otherwise uto may be a delay while it is polled. 
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1 c) the secure microprocessor writes to the system command output pert a value 

2 resources and another value if there are resources, together with the address and size of a user command input and 

3 output port and a user data input and output port It clears the value written by the system microprocessor into the 

4 system command input part 

5 d) the PSO reads the information from the system command output port and reactivates interrupts. 

6 e) if resources arc currently unavailable to the PSO it may enter any known delay routine and try again later. The 

7 option exists for it to branch to a routine to advise the user that the multitasking capability of die UCDPS is currently 

8 fully extended. 

9 f) if granted access it saves the appropriate user pm information in an accessible location and may read and write to 

10 these pons as required. There is no need to disable interrupts when accessing the user ports allocated to it There is 

11 no requirement to modify the task switching routines of the UCDPS operating system. 

12 g)if theSPDriasgraritedaPSOaccesstotheSPD then it preferably stores relevant information about the PSO user 

13 partition in a known location in the system partition, usually with information on other user partitions. 

14 h) the SPD waits until the PSO starts writing information to its user data input port, this may be triggered by an 

15 interrupt or polling of locations and or any other method 

16 i) the SPD transfers the information into the allocated secure user partition. This may be done via the user data input 

17 port and or via Direct Memory Access (DMA) or by direct programmed I/O by the secure rmooprocessor and or 

18 any other method permitted by a particular embodiment of the invention. 

19 j) PSOs usually include various Mormation to assist the SPD in addition to various encryption and validity checking 

20 information. 

21 k) various system functions are activated to decrypt and validate where appropriate and extract other information 

22 relevant to the PSO. 

23 m) the PSO may be determined to be a valid System Support Object that is required to be loaded into the secure 

24 system partition to addresses determined by any method The system Support Object may include data and 

25 commands as to what sort of processing is required and or it may contain executable instructions, in which case the 

26 secure microprocessor will be directed to execute this program. 
27 

28 This is usually granted If the SPD currently has sufficient resources. This would normally be the case in a single 

29 tasking system, however, in a multitasking environment, an PSO may need to wait Said wait may use any method 
30 

31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
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1 The claims defining the invention are as follows: 

2 1. A method of distributing software objects from a producer to a potential user comprising the method steps of 
3 

4 equipping a user oorurolled data processing system with a secret processing device, and said user controlled data 

5 processing system equipped with said secret processing device is referred to as a PUCDPS. wherein said secret 

6 processing device of said PUCDPS may be configured to be dependent in part or whole an the coupling of said 

7 PUCDPS fepmoraU<rfthetime,tooneor multiple remote computers and or any other data processing devices, 

8 however, pm a aUcrf said secret process^ may operate and or be configured to operate in a stand alone 

9 PUCDPS and may remain operational for extended periods after said PUCDPS is removed from a source of power 

0 one or multiple times, and or moved lo different locations, and or reset one or multiple times, and or any other event 

1 that would normally disrupt processing on said PUCDPS; 
2 

3 providing one or multiple service providers. wimi>m at least of sera 

4 processing device that is required to provifcpmMle»tcf the service 

5 wherein said service providers are the agents of said producer. 



17 providing a software object; 



19 modifying part or all of said software object such that it is functionally limited to require said PUCDPS for correct 

20 processing (in this claim execution and process and processing are interchangeable and refer to execution of 

21 instructions and or processing of data) and the functional limitation may be Oscar compatible and or may be 

22 Groover compatible and or may use any encryption method able to be reversed in said secret processing device, 

23 forawn»re,saidfuii^^ 

24 not practical to regenerate the original software objea from any paro to are not f^ 

25 particular functionally limited software object the functional limitation may only be reversed in part or whole by a 

26 specific said secret processing device with unique characteristics necessary to reverse the functional limitation, or 

27 the runcoonal limitation may be reversed in part or whole on a plurality of said secret processing device identified by 

28 common characteristics necessary to reverse the functional limitation; and or 

29 modifying part or all of said software object, using any method, such that said software object is securely linked in 

30 part or whole, using any method, to any one or multiple cor^tiora of use, that in part or whole are not practical to 

31 tamperwimiuidsaidconditaisafiw 

32 ar identifies said software object in any way , such that when said secret rjrocessing device is used to reverse part or 

33 all <rf«aid functional liinitat^ 

34 of software objects of a particular producer and or any other record that in pan or whole is used in determining 

35 remuneration to the producer and or any other parties and or said conditions of use includes any code that comains 

36 information which may be used by the SPD to determine if said software object; 

37 is permitted to execute and or process in part or whole an a units of time used basis, and may include what fee 

38 should be applied for the use of said software object ar^ said fee may be any unit of nieasurernent and is 

39 preferably a generic units of use basis and said generic units may be attributed any real currency value at any 

40 stage; and or 
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1 is permitted to execute and or process in part or whole on an events occurring basis, for example the number cf 

2 times one or multiple parts of said software object are loaded and or executed and or any other measurable 

3 events basis, and may include what fee should be applied for the use of said software object and said fee may be 

4 any unit of measurement and is preferably a generic units of use basis and said generic units may be attributed 

5 any real currency value at any stage; and or 

6 is permitted to execute and or process on an unlimited basis subject to a fee, and may include what fee should 

7 be applied for the use of said software object and said fee may be any unit of measurement and is preferably a 

8 generic units of use basis and said generic units may be attributed any real currency value at any stage; and or 

9 is permitted to execute and or process an any type of limited basis subject to a fee, and may include what fee 

10 should be applied for the use of said software object and said fee may be any unit cf measurement and is 

11 preferably a generic units of use basis and said generic units may be attributed any real currcrry value at any 

12 stage; and or 

13 requires entry of one or multiple data keys of any type prior to initiating use of part or all of said software object 

14 for the first and or any other time an a particular said secret processing device and may include whether or not a 

15 fee is to be charged; and or 

16 requires any other restrictions of any type to be placed on use of said software object ; and 

17 any said software object modified in part or whole as described is referred to as a Protected Software Object; 
18 

19 providing one or multiple protected software object onto computer-accessible memory media and or any suitable 

20 apparatus for electronically transferring said protected software object to a potential user, and preferably the 

21 conditions of use attached to said one or multiple protected software object permit said protected software object to 

22 be used on a time used basis in a PUCDPS with a secret processing device that has sufficient quantity of one or 

23 multiple said unit of measurement stored within and or securely accessible; 
24 

25 shipping said one or multiple said protected software object cm said computer-accessible memory media to a 

26 potential user and or said electronically transferring said one or multiple protected software object; 
27 

28 

29 loading said one or multiple said protected software object into said PUCDPS and executing as permitted by said 

30 conditions of use; 
31 

32 where required by said conditions of use, a user friendly menu system and or any other method provides far the user 

33 to: 

34 request , the supply of one or multiple said unit of measurement that may be required by the said secret 

35 processing device for any purpose, and or 

36 receive one or multiple said unit of measurement, preferably in suitably encrypted format, that may use any 

37 method, and transfer said unit of measurement into the said secret proc es s in g device, and or accessible to the 

38 secret processing device, and or 

39 request the supply of one or multiple data keys that may be required by the said secret processing device, and or 
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1 receive one or multiple data keys and transfer said daia keys into the said secret processing device, and or 

2 accessible to said secret processing device , using any method, and or 

3 generate one or multiple reports of software usage and or any other information mat may be required, and 

4 supply said reports to said service provider and or any other external location, as required, and or 

5 receive one or multiple codes confirming that said report has been received and supply said one or multiple 

6 woracenfinning into said secrw and or accessible to smd secret proccssm^ 

7 request the service provider and or any other authorised party for one or multiple codes that may be used to 

8 reactivate part or all of said secret processing device tnm may have been disabled for any reaa^ 

9 receive one or multiple codes to reactivate pan or all of said secret processing device that may nave been 

10 disabled for any reason and transfer said codes into said secret processing device, and or accessible to said 

11 seem processing device, and or 

12 for any of the preceding, the information generated by said PUCDPS and or received from said service provider is 

13 preferably transferred electronically, however, any other combination of methods may be used including m»iiin g of 

14 computer-accessible memory media amtaining the information. 
15 

16 2. A method of distributing software objects according to Claim 1, wherein said secret processing device may: 
17 

18 securely decrypt and execute (in this claim execution and process and processing are mterchangeable and refer to 

19 execmimcf instructions ami rep 

20 data: and or 
21 

22 securely cecrypt and execute and or proem u^ 

23 part or all of the requirements of iwosing Junctional lin^ 
24 

25 reverse any functional limitations applied that are said Groover compatible; and or 
26 

27 reverse pmmaU any functional limitancms applying to said protected software object; and or 
28 

29 may decide to reverse one or multiple said functional limitations applied to one or multiple said protected software 

30 objects, based on the said conditions of use said securely linked to said protected software objects, where said decide 

31 is an autonomous decision, based in part at least, on secure processing of farfonnatim 

32 secret processing device, and that as long as said the ranurements of one or multiple said protected software objects 

33 arid cr said secret processing device are complied with, the user of a said PUCDPS is able to execute and or process 

34 or multiple said protected software objea on 
35 

36 transfer into said secret processing device and a have transferred arry pm 

37 be necessary to provide any erf tiie furctto^ 
38 

39 access any information that may be located external to said secret processing device in order to provide any of the 

40 functions required by said protected software object; and or 
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1 

2 examine said conditions of use said securely linked to said protected software object; and or 
3 

4 determine a response to said conditions of use, and or 
5 

6 respond to said conditions of use; and or 
7 

8 provide one or multiple area of secure memory thai is not practical to analyse; and or 
9 

10 provide for partition of secure memory into one or multiple secure system partitions and one or multiple user 

11 partitions whereby programs in said system partitions may access said user parti tmny, however* said user partition 

12 may not access said system partition unless authorised, and or any particular said user partition may not access any 

13 other said user partition unless authorised; and or 
14 

15 may transfer part or all any one or multiple said protected software object and or any other software objects from 

16 unsecure to said secure locations for processing and or transfer any information from said secure location to said 

17 unsecure location; and or 
18 

19 may securely decrypt pan or all of decrypted pans of said protected software object and or any other encrypted 

20 information within said secure locations; and or 
21 

22 may process pan or all of one or multiple said protected software object in secrecy, including processing of pan or 

23 all of that information loaded in encrypted format and decrypted; and or 

24 

25 have the capacity to a^tea whether pm or aU of sa# 
26 

27 handle the requirements of a large number of different protected software objects that it has not been specifically 

28 preconfignred for while in unsecure locations; and or 
29 

30 may perform seem encryption and or secret decryption in a manner that cannot be analysed, and this may be a 

31 soilwaie and or hardware function; and or 

32 

33 have the capacity to im pl e ment in pan or whole, one or multiple hardware devices in programmable logic and 

34 preferably programmable logic that may be rapidly erased in the event of tampering, and this includes encryption 

35 and or decryption functions implemented in pan or whole in hardware, and hardware functions implemented in 

36 laujuawiaable logic mav be dynamically uioajawwod by one or multiple protected software ohfot; <mH nr 
37 

38 may use any method to determine that there is an attempt to gain access to secret information within itself, and said 

39 attempt may be physical and or logical analysis, and the response may be any acdon, using any method, Wi^h H^ g 
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1 disabling, temporary y and or permanently, pan or all of itself and or invalidating many way pan or all of the secret 

2 information that may be stored within secure memory storage devices; and or 
3 

4 may securely store information in encrypted and or clear code format in locations inaccessible to unauthorised 

5 parties and or securely store information in encrypted format in locations that may be accessible to unauthorised 

6 parties, and may detect tampering with stored information; and or 
7 

8 may have the capacity to securely monitor the usage of said protected software object; and or 
9 

10 may be loaded with inf ormadon that is any one or multiple units of use, in my secure format, that may be securely 

1 stored within said secret processing device and or securely in accessible external locations and said units of use may 

2 rxs used w offset agaiim use of or* or multiple said r« conditions 

3 of use, said units of use may be adjusted in any way as they are used and nay be used to credit various said 

4 producer and or said protected software objects and or arty other method that can be used to record directly and or 

5 indirectly the payments that are due to various producers and any other interested paries; 
6 

7 may securely record the usage of said protected software object and the record may include a secure breakdown of 
18 usage on a pnxiucer and cf product or any other basis, awl said record in part or whole is non- volatile; and or 

19 

20 request and or compel the user of said PUCDPS to provide any necessary reports of usage to said service provider 

21 arid or to any other location; and or 
22 

23 confirm that said reports that have been received as required; and or 
24 

25 not rec^iiremoairication of the PUCDPS operating system; and or 
26 

27 not require special routines to intercept calls to said system operating system; and or 
28 

29 identify the type of said protected software object aid act as required; and or 
30 

31 provide or have access to one or multiple tarnperproof, non-volatile source of time and or date; and or 
32 

33 provide or have access to one or multiple tamperproof timers; and or 
34 

35 provide one or multiple method of identifying a particular tamperproof errvironment that may include the use of an 

36 electronic signature; and or 
37 

38 provide one or multiple secret codes and or programs that are unique to a particular secure environment and or that 

39 are common across particular groups; <^™i or 
40 

Page 60 



SUBSTITUTE SHEET (RULE 26) 



WO 97/25675 PCT/AU97/00010 

1 provide one or multi ple programs, that may be preprogrammed and or transferred as required that use secret 

2 information unique to said secret processing device; and or 

3 

4 process multiple said protected software object in a multitasking environment and this may be transparent to said 

5 User Controlled Data Processing System; and or 
6 

7 include functions, preferably implemented in reptogrammable secure memory, that may be edited and or Ttvytifiwi 

8 and or deleted and or expanded and or in any other way changed, in a secure manner and usually transparently to the 

9 user of said PUCDPS, enabling externally supplied and appropriately configured said protected software object to 

10 adapt the secure processes available to said PUCDPS and create one or multiple appUcations not currently available 

11 to said PUCDPS and or that permits any current application to be dynamically adapted, and said adapt includes 

12 dynamically reprogramming various hardware functions implemented in pan or whole with reprogrammable logic 

13 connections and or dynamicaUy modifying decryption processes; and or 
14 

15 are programs and or data preprogrammed into the device and or transferred in encrypted format and or in clear code 

16 that assist any other function that includes the processing of said protected software object; and or 
17 

18 include secure memory that stores various internal system routines and may be loaded with externally supplied 

19 objects for decryption and or execution and or any other purpose; and or 
20 

21 may partition secure memory that farms, part of mid utam and w^rrt perming system $rr\jr? ffystfm rnemnry 

22 and secure user memory, wherein programs within system memory may access those in user memory, however, user 

23 programs may not access system memory on an unauthorised basis, furthermore, said user memory may be further 

24 partitioned into multiple user partitions, wherein each user partition cannot affect information within other user 

25 partitions. 
26 

27 3. A method of distributing software objects according to Claim 1, wherein said not practical may be interpreted as 

28 multiple levels of difficulty depending on the requirements and may be too difficult: 

29 for a normal user, 

30 with disassembly of said parts that are not functionally limited, 

31 with attempts at characterising encrypted information in the hope of breaking encryption methods; 

32 with attempts at destroying the package to view the information within. 
33 

34 4. A method of distributing software objects according to Claim 1, wherein said Oscar compatible is any functional 

35 limitation of part or all of a software object by any method of encryption, usually at a secure location remote to me 

36 user, where part or all of the reversal of the encrypted inftnimiiiqn t by decryption and or any other method, occurs 

37 within a secure environment directly and or indirectly attached to a user controlled data processing system such that 

38 pan or all of the instructions and or data of the software object reconstituted by said reversal are not accessible to 

39 analysis by any unauthorised party and the execution of part or all of said instructions and or the processing (using 

40 any method) of part or all of said data that is not accessible to analysis by an unauthorised party remains in part or 
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1 whole inaccessible to analysis by any unauthorised party. The result is that part at least of the functional limitation 

2 placed on a software object is not compromised by the process of using said software object 
3 

4 5. A method of distributing software objects according to Claim l. wherein said Groover compatible is any 

5 fonctic^hmtation of pan maU of a software objw 

6 object, usually at a secure location remote to the user, where pan or all of the reversal of the deletion, by any other 

7 method, occurs within a secure environment directly and or indirectly attached to a UCDPS such that pan or all of 

8 themstiuctiomarrfcTdaacf thes 

9 unauthorised party and the execution of part a all of said instructions and or the processing (using any method) of 

10 partoraUofsaiddatathatisnot accessible to analysis by an unauthorised party remains in part or whole 

11 inaccessible to analysis by any umumorised i>any. Tbe result^ 

12 on a software objea is not canpromised byte 
13 

14 6. A method of distributing software objects according to Claim 2, wherein said duennine a response to said 

15 conditions may be based on a plurality of information states vrtmmai^ 

16 including the availabiUry cf cm w multiple said umts erf meajotrement to offset against any requirements in said 

17 conditions of use, appropriate entry of any data key. appliance with nooning retirements, validation of said 

18 conditions of use supplied with said protected software objects against appropriate values stored within said secret 

19 processing device. 
20 

21 7. An appanttusfcr distributing software cfcjects, nrfenased a s 

22 integrated ir^ the same ir^gr^ 

23 said user controlled data processing system, and preferably does not mterfere with the normal functions of said 

24 system microprocessor, the secret processing device may also farm an integral pan of a multiprocesssor system 

25 microprocessor, pan or all of said secret processing device may be integrated into any one or multiple devices 

26 external to said system rmcroprocessor and attached directly and or indirectly to said user controlled data rmxsssing 

27 system: 
28 

29 said secret processing device includes one or multiple secure microprocessors and one or multiple blocks of secure 

30 memory storage devices, that may be any type a^ 

31 other functions as cJescribed, wherein said secret processing device may: 
32 

33 securely decrypt and execute and or process inspections and vsecurdy decrypt 
34 

35 securely ctecrvpt and execute arriOTprc^ 

36 partOTaUoftherecpirernentsofreveTsir^ 
37 

38 reverse any functional lim itati on s applied that are said Groover compatible; and or 
39 

40 reverse part or all any functional limitations applying to said protected software object; and or 
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1 

2 may de cide to reverse one or multiple said functional limitations applied to one or multiple said protected software 

3 objects, based an the said conditions of use said securely linked to said protected software objects, where said decide 

4 is an autono mous decision, based in pan at least, on secure processing of information internal and or external to said 

5 secret processing device, and that as long as said the requirements of one or multiple said protected software objects 

6 and or said secret processing device are complied with, the user of a said user controlled data processing system is 

7 able to execute and or process one or multiple said protected software object an the same basis as if they were said 

8 software object; and or 
9 

10 have the capacity to implement in part or whole; one or multiple hardware devices in pmgy»™r na Me logic and 

11 preferably programmable logic that may be rapidly erased in the event of tampering, and this includes encryption 

12 and or decryption functions imp lem e nt ed in part or whole in hardware, and hardware functions implemented in 

1 3 programmable logic may be dynamically programmed by one or multiple protected software object; and or 
14 

15 transfer into itself and or has transferred any part of one or multiple information that may be necessary to provide 

16 any of the functions required by said protected software object; and or 
17 

18 access any information that may be located external to said secret processing device in order to provide any of the 

19 functions required by said protected software object; and or 
20 

21 examine the said conditions of use said securely linked to said protected software object; and or 
22 

23 determine a response to said conditions of use; and or 
24 

25 respond to said conditions of use; and or 
26 

27 provide one or multiple area of secure memory that is not practical to analyse; and or 
28 

29 provide for partition of secure memory into one or multiple secure system partitions and one or multiple user 

30 pa rt i t i ons whereby programs in said system partitions may access said user p^nitkwiff, however, said user partition 

31 may not access said system partition unless authorised, and or any particular said user partition may not access any 

32 other said user partition unless authorised; and or 
33 

34 may transfer part or all any one or multiple said protected software object and or any other software objects from 

35 unsccure to said secure locations for processing and a transfer any information from said secure location to said 

36 unsecure location; and or 
37 

38 may securely decrypt part or all of decrypted pans of said protected software object and or any other encrypted 

39 information within said secure locations; and or 
40 
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1 may process pan or all of one or multiple said protected software object in secrecy, including processing of part cr 

2 all of that information loaded in encrypted format and decrypted; and or 
3 

4 tavethecaparitytodete^ 
5 

6 may perform secret encryption and or seem decryption in a manner that cannot be analysed, and this may be a 

7 software and or hardware function; and or 
8 

9 have the capacity to mmlement in pan or whole, one or multiple hardware devices in programmable logic and 

10 preferably programmable logic that may be rapidly erased in the event of tanmering, and this includes encryption 

11 and or decryption functions implemented in part or whole in hardware, and hardware fimctions hnplememed in 

12 prograrnmable logic may be dynarnically programmed by (me or multiple protected software object; and or 
13 

14 may use any method to determine that there is an attempt to gain access to secret iitfomiation within itself, and said 

1 5 attempt may be physical and or logical analysis, and the response may be any action, using any method, including 

16 disabling, temporarily and or permaneruly, pm or all of itself a^ 

17 information that may be stored within secure memory storage devices; and or 
18 

19 may securely store information in erjcrypted and cr clear code format in locations inaccessible to iinauthorised 

20 parties and or securely store information in encrypted format in locations that may be accessible to ^authorised 

21 parties, and may detect tarnpering with stored information; and or 
22 

23 inay have the capadty to securely monitor the usage of said protected software nhjart; »nrt 
24 

25 may be loaded with information that is any one or multiple units of use, in any secure format, that may be securely 

26 stored within said secret processing device and or securely in accessible external locations and said units of use may 

27 be used to offset against use of one wmuWrie said protected 

28 of use, said units of use may be adjusted in any way as they are used and may be used to credit various said 

29 producer and or said protected software objects and or any other method that can be used to record directly and cr 

30 indirectly the payments thm are o^^ 
31 

32 may securely record the usage of said protected software object and the record may include a secure breakdown of 

33 the usage on a producer and or product or any other basis, and said record in part or whole is non-volatile; and or 
34 

35 request and a compel the user of said user controlled data processing system to provide any necessary reports d 

36 usage to said service provider and or to any other location; and or 
37 

38 confirm that said reports that have been received as required; and or 
39 

40 not require modification of the PUCDPS operating system; and or 
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1 

2 not require special routines to intercept calls to said system operating system; and or 
3 

4 identify the type of said protected software object and act as required; and or 
5 

6 provide or have access to one or multiple tamperproof, non-volatile source of time and or dm *; and or 
7 

8 provide or have access to one or multiple tamperproof timers; and or 
9 

10 provide one or multiple method of identifying a particular tam perproof environment thai may include the use of an 

11 electronic signature; and or 
12 

13 provide one or multiple secret codes and or programs that are unique to a particular secure environment and or that 

14 are common across particular groups; and or 
15 

16 provide one or multiple programs, that may be p reprogr ammed and or transferred as required that use secret 

17 information unique to said secret processing device ; and or 
18 

19 process multiple said protected software object in a multitasking environment and this may be transparent to said 

20 User Controlled Data Processing System; and or 
21 

22 include functions, preferably implemented in rer^ogrammable secure memory, that may be edited and or modified 

23 and or deleted and or expanded and or in any other way changed in a secure manner and usually transparently to the 

24 user of said FUCDPS, enabling externally supplied and appropriately configured said protected software object to 

25 adapt the secure processes available to said PUCDPS and create one or multiple applications not currently available 

26 to said PUCDPS and or that permits any current application to be dynamically adapted* and said adapt includes 

27 dynamically leprogiainming various hardware functions implemented in part or whole with reprogrammable logic 

28 connections and or dynamically modifying decryption processes; and or 
29 

30 are programs and or data preprogrammed into the device and or transferred in encrypted format and or in clear code 

31 that assist any other function that includes the processing of said protected software object; and or 
32 

33 include secure memory that stores various internal system routines and may be loaded with externally supplied 

34 objects for decryption and or execution and or any other purpose. 
35 

36 8. A method of distributing software objects according to Claim 7, wherein said determine a response to said 

37 conditions may be based on a plurality of information states within and or external to said secret processing device, 

38 including the availability of one or multiple said units of measurement to offset against any retyiirements in said 

39 conditions of use, appropriate entry of any data key, compliance with reporting requirements, validation of said 

Page 65 



SUBSTITUTE SHEET (RULE 26) 



WO 97/25675 PCT/AU97/000I0 

1 conditions of use supplied with said protected software objects against appropriate values stored within said secret 

2 processing device. 
3 

4 

5 9. An apparatus for distributing software objects according to Claim 7, wherein said Oscar compatible is any 

6 functional limitation of part or all of a software object by any method of encryption, usually at a secure location 

7 remote to the user, where part or all of the reversal of the encrypted mfonnation, by decryption and or any other 

8 method, occurs within a secure environment directly and or indirectly attached to a user controlled data processing 

9 system such that pan or a^ 

10 accessible to analysis by any unauthorised party and the execution of pan or all of said instructions and or the 

11 processing (using any method) of pan or all of said dam that is ix)t accessible to analysis hy m imfflnhorisfd party 

12 remains in pan or whole inaccessible to analysis by my unauthorised party. The result is that pan at least of the 

13 functional limitation placed on a software object is not comproniised by the process of using said software object 
14 

15 

16 10. An apparatus for distributing software objects according to Claim 7, wherein said Groover coxnpatible is any 

17 functional limitation of pan or all of a software object by deletion of pan or all of the mf ormanon within the software 

18 object, usually at a secure location remote to the user, wtw 

19 method, occurs within a secure environmait directly and or indirectly attached to user controlled data rjrocessing 

20 system such that pan or all of the instructions and or data of the software object reconstituted by said reversal are 

21 not accessible to analysis by any unauthorised party and the execution of part or all of said iiistructions and or the 

22 rjrocessing (using any niethod) ofprnaaHof said datothatis not accessible to analysis by an unauthorised party 

23 remains in pan or whole maccessible to analysis by any unauthorised party. The result is that pan ax least of the 

24 functional limitation placed on a software object is not coniproniised by the process of using said software object 
25 

26 1 1 An apparatus for distributing software objects according to Claim 7, wherein said protected software object is a 

27 software object that has been rcversibly functionally limited to be reversed in pan or whole by functions provided by 

28 said secret processing device. 
29 

30 12 An apparatus for distributing software objects according to Claim 7, wherein said conditions of use may be a 

31 pluraHty of cxmditions securely linked to said protected software object that are extracted in pan or whole by said 

32 secret processing device and used to detennine whether to reverse the said functional limitations applied to one or 

33 multiple said protected software object. 
34 

35 13 A method of securely protecting and distributing software objects substantially as herinbefore described with 

36 reference to the drawings. 
37 

38 14. An apparatus for distributing software objects substantially as herinbefore described with reference to the 

39 drawings. 
40 
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1 15. The aepSr features, cnmpnsitinns anil mmpramria itigrlnwri hpiyjp or fffrrmt B> ornwllailfd in the spffCMjcatitHl 

2 and/or claims of this application, individually or collectively, and any and all combinations of any two or more of 

3 said steps or features. 
4 

5 

6 

7 
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9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 

Rage 67 



SUBSTITUTE SHEET (RULE 26) 



WO 97/25675 



PCT/AU97/00010 




8 



System CPU 
1 



1 
0 
0 



25 
Deco der 

85 



125 



F I gure 1 



1/4 



SUBSTITUTE SHEET (Rule 26) 



WO 97/25675 



PCT/AU97/00010 



712 



700 
730 



731 



710 



711 



711 



740 



Secure CPU 
707 



735 



714 



740 



70S 



733 



715 



705 



750 



715 



732 



732 



706 



SRAM 
709 



704 

Dual Port RAM 



712 



731 



713 



716 



702 



703 



PCB Edge 
701 Connector 





UCDPS Bus 


720 


Co nnecto r 



721 




722 




723 




724 




725 



F I g u re 2 



2/4 



SUBSTITUTE SHEET (Rule 26) 



WO 97/25675 



PCT/AU97/00010 



140 



142 



141 



143 



144 



145 



146 



155 



147 



147 



147 



148 



89 



125 



135 



135 



80 



75 



65 



137 



51 



52 



53 



54 
Use. 1 



Use. 2 
Use. 3 



Use . n 



152 




Secu re 

CPU 
Addres s 
Deco de 



25 



180 



■140 
•141 
■142 
■143 
■144 
■145 
■145 
•147 
■148 
■150 
•155 



171 



170 



172 



195 



System 
CPU 



20 



150 



191 



19 



190 
Watch 

Dog 
Ti mer 



F I gure 3 



3/4 



SUBSTITUTE SHEET (Role 26) 



WO 97/25675 



PCT/AU97/00010 



130 



SYSTEM 
CPU 

20 



230 



19 



200 



199 



201 



202 



203 



200 



199 



201 



202 



203 



210 



215 



SECURE 
CPU 
20 



53 



54 



222 



223 



DMA 
125 



221 



MUX 
235 



F I gure 4 



4/4 



SUBSIttOTE SHEET 0* 



1 



INTERNATIONAL SEARCH REPORT 


International Application No. 




PCT/AU 97/00010 


A. CLASSIFICATION OF SUBJECT MATTER 


Int CP G06F 12/14 




According to International Patent Classification (IPC) or to both national classification and IPC 


B. FIELDS SEARCHED 


Minimum documentation searched (classification system followed by classification symbols) 




IPC: G06F 12/14 





Documentation searched other than minimum documentation to the extent that such documents are included in the fields searched 
AU; IPC as above 



Electronic data base consulted during the international search (name of data base and, where practicable, search terms used) 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category* 


Citation of document, with indication, where appropriate, of the relevant passages 


Relevant to claim No. 


X 


WO-A-9522796 (INFOSAFE SYSTEMS INC) 24 August 1995 
See whole document 


1-15 


X 


WO-A-9321581 (SECURE COMPUTING CORORATION) 28 October 1993 
See page 10 line 18 to page 11 line 35 and page 18 line 35 to page 19 line 7 


1-15 


X 


EP-A2-561685 (FUJITSU LIMITED) 22 September 1993; 
See column 4 lines 15-25 


1-15 


X 


Further documents ire listed ^cj See pstenl family annex 





"O" 



ftp* 



Special categories of cited documents: 

document defining the general state of the art which is 
not considered to be of particular relevance 
earlier document but published on or after the 
international filing date 

document which may throw doubts on priority claim(s) 
or which is cited to establish the publication date of 
another citation or other special reason (as specified) 
document referring to an oral disclosure, use, 
exhibition or other means 
document published prior to the international filing 



"Y" 



later document published after the international filing date or 
priority date and not in conflict with the application but cited to 
understand the principle or theory underlying the invention 
document of particular relevance; the claimed invention cannot 
be considered novel or cannot be considered to involve an 
inventive step when the document is taken alone 
document of particular relevance; the claimed invention cannot 
be considered to involve an inventive step when the document is 
combined with one or more other such documents, such 
combination being obvious to a person skilled in the art 
document member of the same patent family 



Date of the actual completion of the international search 
7 April 1997 


Date of mailing of the international search report 


Name and mailing address of the ISA/AU 

AUSTRALIAN INDUSTRIAL PROPERTY ORGANISATION 

PO BOX 200 

WODEN ACT 2606 

AUSTRALIA Facsimile No.: (06) 28S 3929 


Authorized officer _^*"" 

Micbaepiara} 

TelenfcroNo.: (06) 283 2547 



Form PCT/KA/210 (second sheet) (July 1992) copeld 



INTERNATIONAL SEARCH REPORT 



International Application No. 
PCT/AU 97/00010 



C (Continuation) 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category* 



Citation of document, with indication, where appropriate, of the relevant passages 



Relevant to 
claim No. 



WO-A-92 14209 (TOVEN TECHNOLOGIES INC) 20 August 1992; 
See whole document 

WO-A-9013865 (SOFTEL INC) 15 November 1990; 
See whole document 

EP-A2-266748 (INTERNATIONAL BUSINESS MACHINES CORPORATION) 15 May 1988 
See column 4 line 28 to column 15 line 16 



1-15 



1-15 



1-15 



Form PCT/ISA/210 (second sheet) (July 1992) copeld 



INTERNATIONAL SEARCH REPORT 
Information on patent family members 



International Application No. 
PCT/AU 97/00010 



This Annex lists the known "A" publication level patent family members relating to the patent documents cited 
in the above-mentioned international search report. The Australian Patent Office is in no way liable for these 
particulars which are merely given for the purpose of information. 



Patent Document Cited in Search 
Report 






Patent Family Member 






WO 


9522796 


All A 1 
AU-AI 




US-A 


S394469 






WO 


9321581 


A 1 1 A 1 

AU-AI 


//yj 


AU-B2 


667925 


A IT. A 1 


jUOI 1/70 










EP-A2 


737907 


JP-T2 

J i ~ 1 








IN- A 


5276735 


US-A 


5499297 






EP 


561685 


JP-A2 


5257816 


US-A 


5392351 


US-A 


5555304 


WO 


9214209 


AU-AI 


12009/92 


CA-A 


2035697 


US-A 


5325430 


WO 


9013865 


AT-E 


143511 


AU-AI 


56464/90 


AU-B2 


641397 






CA-A 


2053261 


CN-A 


1048271 


DE-C 


69028705 






EP-A1 


478571 


JP-T2 


4504794 


US-A 


5388211 






US-A 


5497479 










EP 


266748 


DE-C 


3751047 


JP-A2 


63127334 


US-A 


5109413 


END OF ANNEX 



Form PCT/1SA/210 (extra sheet) (July 1992) copcld 



